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Abstract 



The realm of this thesis is cryptographic protocol theory in the quantum world. We study the 
security of quantum and classical protocols against adversaries that are assumed to exploit 
quantum effects to their advantage. Security in the quantum world means that quantum 
computation does not jeopardize the assumption, underlying the protocol construction. But 
moreover, we encounter additional setbacks in the security proofs, which are mostly due to 
the fact that some well-known classical proof techniques are forbidden by certain properties 
of a quantum environment. Interestingly, we can exploit some of the very same properties to 
the benefit of quantum cryptography. Thus, this work lies right at the heart of the conflict 
between highly potential effects but likewise rather demanding conditions in the quantum 
world. 
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Introduction 



1.1 On Cryptography 



The multiple human needs and desires that demand privacy among two or more people 
in the midst of social life must inevitably lead to cryptology wherever men thrive 

and wherever they write. 

— David Kahn 

Cryptography is the art of secret writing (from Greek KpvKToq and jpa<puj) and may be 
considered almost as old as writing itself. Cryptography played a crucial role throughout the 
history of any society that depended on information, from the Greek Scytale and the Roman 
Caesar cipher, over the Vigenere cipher, electromechanical rotor machines and encryption 



standards, to forming the backbone of electronic infrastructures in modern life (see e.g. SinOO 
for a historic survey of cryptography). 

The first cryptographic methods are known as secret-key cryptography, based on one 
secret key shared between the communicating parties and used both for encryption and 
decryption. Already apparent from this description derives its main problem, which lies in 
the logistics of distributing the key securely: Prior to any secret communication, the involved 
parties must be in possession of the same secret key. Nevertheless, secret-key cryptography 
was in use for thousands of years, adjusting its complexity to ever-increasing developments 
in technique and technology. 

Public-key cryptography was the technological revolution, solving the key distribution 
problem. The idea was independently discovered by Diffie and Hellman in |DH76l with 



Rivest, Shamir, and Adleman, providing the first implementation RSA78 , and slightly 
earlier but in secrecy, by Ellis, followed by Cocks' and Williamson's practical application 
(e.g. Coc08| ). Public-key cryptography is based on a pair of keys for each communicating 



party, namely a public key for encryption and a corresponding secret key for decryption, 
where it must hold that it is computationally infeasible (in polynomial time) of deriving the 
secret key from the public one. Then, we require a family of trapdoor one-way functions 
defining the encryption and decryption procedure. Informally, that means that encryption 
is a one-way operation, which is efficiently computable, given the public key, whereas the 
decryption function is hard to compute, unless the trapdoor is known, i.e. the secret key. 
Thus, the public key can be published without compromising security, and hence, public-key 
cryptography does not suffer from key distribution problems. Due to that and to the fact that 
the technique additionally allows for digital signatures that are verifiable with the public key 
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and yet unforgeable without the secret key, the concept of pubhc-key cryptography is highly 
used and required in the age of the Internet and the prohferation of electronic communication 
systems. 

New potential in cryptography emerged with quantum cryptography, starting with Wies- 
ner's groundbreaking paper Wie83P suggesting that "quantum mechanics allows us novel 
forms of coding without analogue [in classical physics]" (p. 78). His approach of conju- 
gate coding did not only lay the foundations of the new cryptographic technique but also 
suggested a system for sending "two mutually exclusive messages" (p. 83), which is to- 
day known as the powerful primitive of oblivious transfer. It took several years (and the 
Caribbean sea) to establish quantum cryptography as a scientific discipline, accomplished by 
Bennett and Brassard, mainly by the BB84-protocol for quantum key distribution (QKD) 
[BB84 after preceding work such as |BBBW82 BBSS , culminating in the first practical 



m 



realizations 
Ekert in 



BB89 BBB+92 



Eke91 



An alternative QKD scheme was independently proposed by 
based on a different approach using quantum entanglement. Since then, 
QKD was further researched, both on a theoretical and an experimental level. Today, conju- 
gate BB84-coding also forms the basis for various more general quantum cryptographic tasks 
other than key distribution. 

Modern cryptography concerns, besides the secrecy and authenticity of communication, 
also the security of various other task. For instance, theoretical research in the sub-field of 
cryptographic protocol theory covers cryptographic primitives with fundamental properties 
for secure multi-party computation. Each primitive can be seen as a building block that 
implements some basic functionality. Composition of such primitives within outer protocols 
yield applications that implement a specific task securely over a distance. 



1.2 On the Quantum World 



Anyone who is not shocked by quantum theory has not understood it. 

— Niels Bohr 

In the quantum world, we consider the behavior of systems at the smallest scale, which 
cannot be explained nor described by classical physics. A guanteTTi]^ is the smallest unit of 
a physical entity, and the fundamental concept in quantum information theory is a quan- 
tum bit, or short, a qubit. Quantum information theory was established at the beginning 
of the last century, but has been subject to different interpretations ever since — both sci- 
entific and philosophical. This thesis is divided into two subareas of quantum information 
theory, constituting the following two main parts. Part |ll] and Part III (Part |l] is dedicated 
to preliminaries). 

Part [n] is in the realm of quantum cryptography, where — informally speaking — the trans- 
mission of qubits followed by some classical post-processing is employed to accomplish a 
cryptographic task. The security is mainly derived by the special properties of the qubits 
during and after transmission, and therewith, directly from physical laws. 



^The paper was written in the early 1970ies but rejected and only published retroactively in 1983. 
^quantus (Latin) - how much 
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Part |III| on cryptography in a quantum world refers to the study of cryptography with 
completely classical messages exchange, but where the environment around is quantum. 
In other words, the security of the classical schemes must withstand powerful quantum 
computing capabilities. 

We now present — in brief and on a (counter-)intuitive level — the aspects unique to the 
quantum world, which are relevant in the context of this work. Interestingly, these quantum 
features can be exploited to the benefit of quantum cryptography. However, the very same 
properties impose intriguingly new challenges in classical cryptography. In other words. 



"what quantum mechanics takes away with one hand, it gives back with the other" NCOO 
p. 582]. And so, this work lies right at the heart of the conflict between highly potential 
effects, but likewise rather demanding conditions. 



Information gain vs. disturbance. This aspect might be argued to constitute the 
most outstanding advantage of quantum cryptography over the classical world, and forms 
"the engine that powers quantum cryptography" |Fuc96 p. 1]. In the classical case, a bit can 
simply be read in transmission, and the information gain solely depends on the security of the 
respective encryption used. In quantum cryptography, information is typically encoded in 
two complementary types of photon polarization or, in other words, a qubit is prepared in one 
out of two conjugate bases with orthogonal basis states. To gain information about such an 
unknown qubit, it must be observed, but observing in the quantum world means measuring. 
Measuring, or more precisely distinguishing between two non-orthogonal quantum states, is 
destructive and therewith any measurement disturbes the system. This is explained in the 
Heisenberg uncertainty principle, which states that certain pairs of quantum properties are 
complementary in that measuring one of them necessarily disturbs the other. 

Consequently, eavesdropping on a qubit transmission disturbs the system, and can there- 
fore be noticed in a statistically detectable way. Moreover, the quantitative trade-off between 
information gain and disturbance is useful not only against an external adversary, but it is 
also a main ingredient when proving security against a dishonest player. This fact is inher- 
ent in the basic security aspects of all our quantum two-party protocols, discussed later in 
PartHH 



An unknown quantum state cannot be copied. This fact — unheard of in the case 
of classical data — is formalized in the no-cloning theorem |WZ82 . The peculiar property 
constitutes another major security feature in quantum communications and underlies all 
our quantum protocols in Part |llj However, it also sets severe restriction in the theory of 
quantum computing. This becomes apparent in Part HI, where the commonly used classical 
proof technique rewinding, which is also shortly discussed below, requires to copy certain 
data, and so has to be carefully reviewed in the quantum world. 



Quantum memory is limited. A more practical issue concerns the limitation of the 
amount of qubits that can be stored and then retrieved undisturbed. This may be seen as 
a snapshot of current state of the art. However, ongoing research strongly suggest that it 
is — and will be — much easier to transmit and measure qubits than it is to store them for a 
non-negligible time. 



4 



CHAPTER 1. INTRODUCTION 



We will make use of this given fact in our quantum protocols in Chapter |6] which are de- 
signed such that dishonest parties would need large quantum memory to attack successfully — 
a security property that classical protocols cannot achieve. Yet, we do not exclusively rely on 
this condition only, but investigate a wider diversification of security that is not threatened 
by potential breakthroughs in developing quantum storage. 



Quantum rewinding is tricky. As already indicated, this statement is a key aspect 



in Part III, and originates from most of the above mentioned properties "all wrapped up 
together". Rewinding is a very powerful technique in simulation-based proofs against a 
classical dishonest party: We can prove security against a cheating player by showing that 
a run of a protocol between him and the honest player can be efficiently simulated without 
interacting with the honest player, but with a simulator instead. A simulator is a machine 
which does not know the secrets of the honest party but yet it sends messages like the honest 
player would do but with more freedom, e.g. in how and when to generate these. Then to 
conclude the proof, we have to show that the running time of the simulation as well as the 
distribution of the conversation are according to expectations. A simulator basically prepares 
a valid conversation and tries it on the dishonest party. Now, in case this party does not 
send the expected reply, we need the possibility to rewind himj^ 

Unfortunately, rewinding as a proof technique can generally not be directly applied in 
the quantum world, i.e., if the dishonest machine is a quantum computer. First, we cannot 
trivially copy and store an intermediate state of a quantum system, and second, quantum 
measurements are in general irreversible. In order to produce a classical transcript, the sim- 
ulator would have to partially measure the quantum system without copying it beforehand, 
but then it would become impossible to reconstruct all information necessary for correct 
rewinding. 

Due to these difficulties, no simple and straightforward security proof for the quan- 
tum case was known. However, Watrous recently showed that in a limited setting an ef- 
ficient quantum simulation, relying on the newly introduced quantum rewinding theorem 



(see [Wat09| and Section 3.5.2), is possible. We will discuss this aspect in more detail in 



Chapters |8] and |9j We will show that the quantum rewinding argument can also be applied 
to classical non-constant round coin-flipping in the quantum world, and propose a framework 
to weaken certain assumptions on the coin, in quest for a quantum-secure constant round 
protocol. 

Spooky actions at a distance. This famous naming by EinsteirQ describes the phe- 
nomenon of entanglement. Informally, two qubits are called entangled, if their state can only 
be described with reference to each other. This has the effect that a measurement on one 
particle has an instantaneous impact on the other one — despite any distance separating the 
qubits spatially. 

Entanglement is definitely a unique resource to the quantum world only. In the words of 



•^More precisely, we model the player — similar to the simulator — as a machine, and thus, we can just set 
back this machine to an earlier status, i.e., erase parts of the memory and start a new conversation. In that 
sense, rewinding can be thought of as, for instance, rebooting a computer after it crashed. 

^ "Spooky actions at a distance" was put down originally as "spukhafte Fernwirkung" in EinTl . 
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Schrodinger, entanglement is not "one but rather the characteristic trait of quantum mechan- 
ics, the one that enforces its entire departure from classical lines of thought" Sch35, p. 555]. 
Besides constituting a disturbing aspect — intuitively and philosophically, entanglement opens 
up for interesting applications such as quantum teleportation |BBC+93 and superdense cod- 
ing [BW92| , as well as for various aspects in quantum cryptography and computing. We 
will use entanglement as a thought experiment in our quantum protocols when analyzing an 
equivalent purified £'Pi?-uerszor)[^ (Chapter [5|. 



1.3 Contributions 



This dissertation is based on research done during the three years of my PhD studies at the 
Department of Computer Science, Aarhus University, Denmark. Part of the research was 
conducted while visiting Universite de Montreal, Quebec, Canada. The realm of this work is 
quantum cryptography and classical cryptography in the quantum world. More specifically, 
the thesis covers aspects of (quantum) cryptographic protocol theory, based on cryptographic 
primitives. The main results are outlined in the following sections and pictorially represented 



in Figure 1.1 



1.3.1 The Importance of Mixed Commitments 

Classical mixed (or dual-mode) commitments are of great significance for most constructions 
discussed in this work. Here, we explain the challenges that the quantum world imposes on 
commitments in general and summarize the results of DFL"'"09,DL09 LNIO in that aspect. 



Security for classical constructions in the quantum world means that quantum computa- 
tion does not jeopardize the underlying mathematical assumption that guarantees the secu- 
rity, for instance, in the context of commitments, the hiding and binding property. However, 
we encounter even more setbacks in the context of actually proving such constructions secure 
in an outer protocol, which, in regard of this work with its main focus on simulation-based 
security, are mostly due to the strong restrictions on rewinding in the quantum world. 

The first difficulty in any attempt to rewind the adversary regards the fact that the 
reduction from the computational security of an outer protocol to the computationally binding 
property of a commitment does not simply translate from the classical to the quantum 
world. Computational binding means that if a dishonest party can open a commitment 
to two different values, then the computational assumption does not hold. In the classical 
case, a simulator simulates a run of the outer protocol with the committer, such that the 
latter outputs a valid commitment at some point during the execution. Later in the protocol 
he must then provide a correct opening. The simulator has the possibility to rewind the 
player to any step in the protocol execution, e.g. to a point after the commitment was 
sent. Then it can repeat the simulation of the outer protocol, which can now be adapted 
to the simulator's knowledge of the committed value. If the dishonest committer opened 

^An EPR-pair denotes a pair of entangled qubits. The name (ironically) originates from the paper [EPR35| 
by Einstein, Podolsky, and Rosen, in which they criticized quantum mechanics as an incomplete theory — due 
to entanglement. 
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the same commitment to a different value than previously, he could break the underlying 
assumption guaranteeing computational binding. In other words, two valid openings of the 
same commitment imply the inversion of the underlying one-way function, which concludes 
the proof. Such a technique, however, is impossible to justify in the quantum world, since 
we cannot trivially copy and store an intermediate state, and measurements are in general 
irreversible. In order to succeed, the simulator would have to partially measure the quantum 
system without copying it beforehand to obtain the first transcript, but then it would become 
impossible to reconstruct all information necessary for correct rewinding. 

The second challenge we encounter is to prove an outer protocol with an embedded 
computationally hiding commitment secure. Generally speaking, in a classical simulation of 
the outer protocol, the simulator aims e.g. at hitting an ideal outcome to a function of which 
it then commits. Then, if the reply from the possibly dishonest counterpart matches this 
prepared function such that both sides conclude on the ideal value as their result and the 
transcript is indistinguishable from a real run of the protocol, the simulation was successful. 
Otherwise, the simulator rewinds the dishonest player completely and repeats the simulation. 
We show a natural and direct translation of this scenario to the quantum world in Chapter |8j 
where we use a technique that allows quantum rewinding in this very setting when using bit 



commitments (see Section 1.3.3). In case of string commitments however, we cannot rewind 
the other player in poly-time to hit the guess, since that guess consists of a bit-string. A 
possible solutions for simulating against a classical adversary is to let him commit to his 
message before the simulator commits. Then the player's message can be extracted and the 
simulation can be matched accordingly. This technique, however, is again doomed to fail in 
the quantum realm, since it reduces to the previous case where the simulator cannot preserve 
the other party's intermediate status as required during such a simulation. 

We will circumvent both of the above aspects by introducing mixed commitment schemes 
in our protocols. Generally speaking, the notion of mixed commitments requires some trap- 
door information, given to the simulator in the ideal world. Depending on the instantiation, 
the trapdoor provides the possibility for extraction of information out of the commitments 
or for equivocability when opening the commitments. This allows us to circumvent the neces- 
sity of rewinding in the proof, while achieving high security in the real protocol. The idea of 



mixed commitment schemes is described in more detail in Section 4.1.2 and a quantum-secure 



instantiation is proposed in Section 4.1.3 Various extensions are then discussed to match 



the construction to respective requirements in different outer protocols (Sections 4.1.4, 7.2 



and 7.3) 



1.3.2 Improving the Security of Quantum Protocols 



The following results are joint work with Damgard, Fehr, Salvail, and Schaffner DFL"'"09 
and will be addressed in detail in Chapter [5| 

We propose a general compiler for improving the security of a large class of two-party 
quantum protocols, implementing different cryptographic tasks and running between mutu- 
ally distrusting players Alice and Bob. Our main result states that if the original protocol 
is secure against a so-called benign Bob, who is only required to treat the qubits "almost 
honestly" but can deviate arbitrarily afterwards, then the compiled protocol is secure against 
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a computationally bounded quantum Bob. The unconditional security against Alice is pre- 
served during compilation and it requires only a constant increase of transmitted qubits and 
classical messages. 

The consequences of such a compiler are twofold. First, the basic assumption in designing 
new protocols for any two-party functionality is reduced to the relatively weak assumption 
on benignity. On the other hand, the proofs for already existing protocols within the specific 
class typically go through under the assumption (at least after some minor adaptions). And 
second, security in the bounded-quantum-storage model implies benign security. Therefore, 
by compilation of such protocols, we can achieve hybrid security, which means that the 
adversary now needs both large quantum memory and large quantum computing power to 
break these new protocols. 

In more detail, the protocols we consider here start with a qubit transmission from Alice 
to Bob, where each qubit is encoded in one of two conjugate bases. This implies that, 
whenever Bob measures in the complementary basis, he obtains a random outcome. The 
second part of the protocol consist of arbitrary classical messages and local computations, 
depending on the task at hand but typically relying on the fact that a dishonest Bob has 
high uncertainty about a crucial piece of information. 

The basic technique to construct the compiler was already suggested in the first quantum 
oblivious transfer protocol [CK88] . We want to force Bob to measure by asking him to 
commit (using a classical scheme) to all his basis choices and measurement results, and 
then require him to open some of them later. While classical intuition suggests that the 
commitments should force Bob to measure (almost) all the qubits, it was previously very 
unclear what exactly it would achieve in the quantum world. To our best knowledge, it was 
never formally proven that the classical intuition also holds for a quantum Bob. We now give 
a full characterization of the commit&open approach in general quantum settings, namely 
that it forces Bob to be benign. 

We propose a formal definition for benignity, which might be of independent interest. A 
benign Bob is characterized by the following two conditions, which must be satisfied after the 
qubit transmission. First, his quantum storage is very small, and second, there exists a basis- 
string such that the uncertainty about Alice's encoded bit is essentially one bit whenever 
the encoding basis does not match the basis indicated in that string. These two conditions 
imply that a successfully passed opening of his commitments for a random test subset puts 
Bob in a situation, which is close to a scenario in which he measured as supposed to: His 
quantum memory is essentially of size zero, and furthermore, measuring the untested qubits 
in a basis complementary to the one Bob (claims to have) used, leads to a result with large 
uncertainty. The bounds on Bob's uncertainty and his quantum memory are proven for an 
ideal state that is negligible close to the real state. For the ideal state, we can then show that 
the remaining subsystem after the test is a superposition of states with relative Hamming 
distance upper bounded by the test estimate. 

To conclude the proof, we assume that the original protocol implements some ideal func- 
tionality with statistical security against benign Bob. Then we show that the compiled 
protocol with the commitments also implements that functionality but now with security 
against any computationally bounded (quantum) Bob. To preserve the unconditional secu- 
rity of the original protocol, we require an unconditionally hiding commitment scheme. Since 
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the common reduction from the computational security of the protocol to the computational 
binding property of a commitment would require rewinding, we use a mixed dual-mode 



commitment, which allows us to avoid rewinding Bob in this step (see also Section 1.3.1). 

We generalize our result to noisy quantum communication and show that the compilation 
does not render sequential composability insecure. We then extend the underlying commit- 
ment scheme for a more general composability guarantee and obtain that any compiled 
protocol computationally quantum- UC- emulates its corresponding ideal functionality. 

1.3.3 Classical Coin-Flipping in the Quantum World 



The result on quantum-secure single coin-flipping is based on [DL09 , co-authored with 



Damgard, and will be fully discussed in Chapter [8j The proposed amplification framework 
for obtaining strong coin-strings from weak initial assumption on the coins is joint work with 
Nielsen [LNlOj and will be addressed in more detail in Chapter |9j 

We first investigate the standard coin-flipping protocol with classical messages exchange 
but where the adversary is assumed to be capable of quantum computing. The output 
of the protocol is a uniformly random unbiased bit, and the construction does not require 
any set-up assumptions. Therewith, the communicating parties can interactively generate 
true randomness from scratch in the quantum world. Our result constitutes the most direct 
quantum analogue of the classical security proof by using a recent result of Watrous |Wat09| 
that allows for quantum rewinding in this restricted setting and when flipping a single coin. 

The full potential of coin-flipping lies in the possibility of flipping a string of coins instead 
of a bit, such that the parties can interactively generate a common random string from 
scratch. Therewith, it is possible, for instance, to implement the theoretical assumption of 
the common-reference-string-model, which then implies that various interesting applications 
can be realized in a simple manner without any set-up assumptions. 

We show that with our definitions, the single coin-flipping protocol composes sequentially. 
Additionally, we sketch an extended construction of the underlying commitment scheme, al- 
lowing for efficient simulation on both sides, with which we achieve more general composition 
guarantees. Both compositions, however, are not fully satisfactory. Sequential coin-flipping 
allows for implementations without set-up assumptions but leads to a non-constant round 
application. In contrast, parallel composition achieves much better efficiency with constant 
round complexity but requires some set-up assumptions in our proposed construction here. 
Unfortunately, we do not know how to extend Watrous quantum rewinding to the case of 
bit-strings, while keeping the running time of the simulator polynomial. The proof tech- 
nique in the purely classical setting is impossible to apply in the quantum world (see also 



Section 1.3.1). Other techniques to achieve constant round coin-flipping are not known to 
date. 

Our framework in Chapter |9] can be understood as a step towards constant round coin- 
flipping. We first investigate different security degrees of a string of coins. We then propose 
protocol constructions that allow us to amplify the respective degrees of security such that 
weaker coins are converted into very strong ones. The final result constitutes an amplification 
towards a coin- flipping protocol with long outcomes, which is fully poly-time simulatable on 
both sides against quantum adversaries. The protocol can be implemented with quantum- 
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computational security in the plain model without any set-up assumptions. It only assumes 
mixed commitment schemes, which we know how to construct with quantum security, and 
no other assumptions are put forward. With this solution, we still have to compose the single 
coin-flip as sketched above sequentially to obtain long outcomes, but we achieve coins with 
stronger security. 

Our method of amplifying the security strength of coins also applies to potential constant 
round coin-flipping. If the underlying weak protocol already produces string outcomes and 
is constant round, then the resulting strong protocol is also constant round, and we consider 
it a contribution in itself to define the weakest security notion for any potential candidate 
that allows to amplify to the final strong protocol using a constant round reduction. 



1.3.4 Applications 



We consider our applications in both parts of the thesis (Chapters [6] and 10 ) well suited as 
examples for the respective precedent main results, since they all have some special proper- 
ties. Depending on the context they are proposed in, they appeared in |DFL+09"|DL09[ |LN10| . 



The first quantum protocol in Section 6.1 implements oblivious transfer (OT), which 



constitutes a highly relevant cryptographic primitive that is complete for general two-party 
computation. Interestingly, the idea behind this primitive was introduced in the context of 



quantum cryptography, namely, in the pioneering paper of Wiesner Wie83 that also paved 



the way for quantum cryptography by introducing the concept of conjugate coding. The very 
nature of conjugate coding implies oblivious transfer, and with that, it can be understood 
as a natural quantum primitive. 

Classical and quantum OT cannot be implemented without any additional restrictions. 
However, in contrast to classical OT, quantum OT reduces to classical commitment. The 
idea of using a classical commitment within quantum protocols was already suggested in the 
first quantum oblivious transfer protocol CK88 and its follow-up work in |BBCS91. Various 



partial results followed, such as assuming a perfect ideal commitment |Yao95^|May96 , UnrlO 
or a (theoretical) quantum string commitment CDMS04j. Based on the analysis of our 



compilation (sketched in Section 1.3.2), we can now rather simply apply our compiler to (a 
variant of) the original quantum OT-protocol, and therewith, give a complete proof for a 
concrete commitment scheme. 

In a rather straightforward way, oblivious transfer as a building block easily extends to 
password-based identification, which is needed for any authenticated set-up. The quantum 



identification scheme in Section 6.2 allows for identification by solely proving the knowledge 
of a secret password without actually announcing it in clear. Furthermore, it has some 
special properties, which indicates its utility value in practice. First, the only option without 
being in possession of the password is to guess it, which implies that the same password 
may be safely reused for a long time. Second, the scheme tolerates a possibly non-uniform 
password, which translates to a realistic assumption of user-memorizable passwords. And 
last, a typical setting for identification is not necessarily required to run over large distances to 
be considered useful, and as such, it can actually be implemented with existing technology. 
Naturally, an identification scheme, secure under diversified assumptions and against any 
external adversary, is an important step towards an actual implementation. 
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The classical generation of commitment keys in Section 10.3| nicely combines the above 
applications with the results on quantum-secure coin-flipping, fulfilling the requirement on 
our mixed commitment construction. By running a coin-flipping protocol as an initial step 
in the quantum protocols above, the communicating players can interactively generate their 
commitment keys for compilation. This allows us to avoid the common-reference-string- 
model and yields implementations of entire protocols in the quantum world without any 
set-up assumptions. 

The two application in the context of zero-knowledge are interesting in that the interac- 
tive generation of coins at the beginning or during outer protocols allows for quantum-secure 



realizations of classical schemes from scratch. First in Section 10.1, we show a simple trans 



formation from non-interactive zero-knowledge to interactive quantum zero-knowledge. Then 



in Section 10.2, we propose a quantum- secure zero-knowledge proof of knowledge, which relies 
not only on initial randomness but also on enforceable randomness and is based on a witness 
encoding scheme providing a certain degree of extractability, defined for the quantum context 
to resemble special soundness of classical schemes. Both zero-knowledge constructions nicely 
highlight that the realization of coin-flipping as a stand-alone tool allows for using it rather 
freely in various contexts. 
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Figure 1.1: Picture of the Thesis. 



Part I 

Setting The Stage 



o 



Cryptographic Toolbox 



In this work, we are interested in classical and quantum cryptographic two-party protocols, 
i.e., our focus lies on enabling two players to accomplish a specific task securely by communi- 
cating over a distance. In a perfect world of gentlemen, we could, of course, just communicate 
over a distance without using cryptographic security precautions. In an ideal world, we can 
simply assume a "black-box" that solves what we want while not leaking anything of impor- 
tance. However, we operate in the real world. This means that we do not only have to take 
various dishonest players into account when implementing our protocols, but also that we 
have to work within a restricted framework of given conditions and existing resources]^ 

In the following sections we formalize this intuitive description in cryptographic terms. 
The chapter is not intended to provide a full introduction to cryptographic protocol theory, 
but rather to give a brief but complete overview of notation, tools, conditions, and settings 
we will use, and to fix terminology that may vary in standard literature. In short, we are 
setting the stage for the results in this thesis. 



2.1 Players 

Our main characters are Alice and Bob, who are subject to different roles and cheating 
capabilities. The correctness of our two-party protocols is ensured, if they implement the 
task at hand in the desired way. This scenario only concerns honest parties Alice and Bob, 
who may have different roles, such as sender, receiver, committer, verifier, user and server, 
depending on the respective functionality to be carried out. An honest player is denoted 
by P. 

Security is shown by investigating the case where one of the parties is dishonest. More 
precisely, a dishonest party P' can try, for instance, to bias the outcome of the protocol or 
to succeed illegitimately. 

Between these two extremes, there are various nuances of cheating. For instance, the com- 
mon notion of semi-honest describes an "honest-but-curious" player who is curious enough in 
trying to gain additional information while following the protocol honestly. We will in Chap- 
ters [5] and [6] use another intermediate notion that captures benignly dishonest behavior in 
quantum protocols. The protocols consist of a quantum transmission phase and some classi- 
cal post-processing. A benign receiver of qubits is assumed to treat these "almost honestly" , 



^Note that, throughout this work, we will use the terms ideal world and real world also in the more formal 
context of the so-called two-world paradigm (see Section 2.3 1 for simulation-based proofs. 
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which means he immediately measures most of the qubits upon reception in the specified 
bases. Afterwards during the classical post-processing, he can deviate arbitrarily. Thus, in 
some sense, he wants to cheat but is incapable of mastering the quantum information in any 
other way than simply measuring it. We will define this newly introduced notion in greater 
detail later on, as it forms the foundation of our improved quantum protocols. 

A very different external adversary is the so-called man-in-the-middle Eve (denoted by E), 
who tries to eavesdrop on the classical and quantum communication between Alice and Bob, 
with the intention to break the protocol — or at least gain some information — without being 
detected. Quantum cryptography provides its protocols with automatic intrusion detection, 
due to the fact that here any kind of intrusion will inevitably disturb the system. However, 
we have to thoroughly implement the testing of qubits for interference as well as investigate 
the potential information leakage of the classical communication. 



2.2 Security Flavors, Assumptions, and Models 



The purpose and objective of theoretical cryptography is to design protocols with the highest 
security possible under any condition, this means without any restriction on adversarial 
resources such as computing power and memory size. However, this unconditional security is 
extremely hard to obtain for both players simultaneously in the classical and in the quantum 
world. In fact, some tasks are proven to be impossible to achieve with unconditional security 
for both players. The most well-known example thereof might be the impossibility results on 
unconditionally secure classical and quantum bit commitment (proven in the quantum case 
by May97, LC97| ). Furthermore, for two distrusting parties, the only applications actually 
proven to be unconditionally secure regarding confidentiality are Vernam's symmetric one- 



time pad encryption Ver26 , Sha49 as well as quantum key distribution BB84 , SPOO 



Thus, the level of security has to be lowered for implementing other functionalities, and 
we have to achieve a reasonable balance between realistic assumptions under consideration of 
current and future technology — as weak as possible — and yet meaningful security — as strong 
as possible. For that purpose, we specify cryptographic models to capture various notions of 
security and to impose realistic restrictions on the adversary. To mention just a few, such 
models consider limited computing power, limited memory size [Mau92 DFSS05 , a common 
resource with special properties (e.g. initially shared randomness), noisy storage WST081 or 



restricted quantum measurement (e.g. a limited set of measurements [KMP04] or a limited 
set of qubits to be measured at the same time (Sai98l ). 



Computational Security. Restricting the adversarial classical computing power and 
time is currently the most applied model in practical public- key cryptography. Thus, it 
is known as the plain model, achieving computational security based on classical hardness 
assumptions that some problems are computationally infeasible to solve in polynomial tim^ 
Usually, security is shown by reducing the security of the actual scheme to that of a well- 
known mathematical problem. However, the hardness of such complexity assumptions is 

^An algorithm is poly-time, if its running time is upper bounded by a polynomial in the size of its input, 
i.e. 0{n'^). In more detail, there exist constants c > 1 and no such that poly(n) < n'^ for all n > no- As 
synonyms, we often use feasible or efficient. 
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unproven. 

It should also not go unnoted that with the emergence of quantum computers which, due 
to their speed-up in running time, have great potential to solve several of the basic assump- 
tions in polynomial time, security of various crypto-systems would fold. To give examples, 
Shor showed algorithms for efficiently factoring large integers [Sho97 , which would jeop- 
ardize the RSA assumption, and for the related problem of computing discrete logarithms 
underlying e.g. the ElGamal encryption system. Grover's algorithm for conducting a search 
through some unstructured search space shows a quadratic speed-up over classical computa- 
tion. This, for instance, also affects the time of performing exhaustive search over the set of 
possible keys, used in symmetric crypto-systems (e.g. DES). Of course, these algorithms only 
yield profitable results, if large-scale quantum computers can be built. Interestingly, the very 
quantum effects that makes them so powerful, also makes them so difficult to control — so 
far. 



Quantum-Computational Security. Recently, the new sub-field of so-called post-quant- 
um cryptography has emerged within public-key cryptographyj^ There, the focus lies on 
researching assumptions which are believed to be hard even on a quantum computer, and 
thus, on achieving quantum- computational security. Post-quantum crypto-schemes include, 
for instance, the McEliece crypto-system based on a coding-theoretic problem [McETS] and 
lattice-based crypto-systems (e.g. |Ajt96 , Reg05| ). The latter provide, besides good efficiency 
when en- and decoding, the merit that breaking the security of such protocols implies to 
solve a hard lattice problem in the worst case. However, we should stress also in this context 
that this hardness is again assumed; formal proofs are still to come. In this work, we will 
use lattice-based crypto-systems for implementing mixed commitment schemes, secure in the 
quantum world (Chapters [5] and [9]). 



Quantum Security. In contrast to security through mathematical hardness assumptions 
in classical cryptography, the security in quantum cryptography is based on quantum me- 
chanical laws. Proofs for physical limitations are not by reduction as for computational 
limitations but in information-theoretic terms. That means that in such models, an adver- 
sary does not learn any information, except with at most negligible probability]^ 



Bounded-Quantum-Storage Model. In the quantum cryptographic setting, one such 
physical limitation is formalized in the bounded-quantum-storage model (BQSM), proposed 
in |DFSS05| . The intuitive idea behind the model is that the most sensitive information is 
encoded in qubits that are transmitted in the first phase of the protocol. Then, at some 
later point, typically an announcement of the encoding bases follows to complete the task 
at hand. Now, under the assumption that an adversary's quantum memory size is limited, 
he cannot store all of the qubits but has to measure some fraction. Thus, by converting 

^The common classification might be slightly confusing, in that the notion "post-quantum" relates to the 
time after the successful development of large-scale quantum computers as opposed to quantum cryptography. 

^Negligible in n means that any function of n is smaller than the inverse of any polynomial, provided n is 
sufficiently large, i.e., for all constants c there exists a constant Uc such that negl (n) < n~'^ for all n > Uc. 
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quantum information into classical information without complete knowledge of the right 
bases, information gets irreversibly destroyed. 

The protocols in this model achieve unconditional protection against cheating by one of 
the players, while if the other is corrupted, the protocols are secure under the sole assumption 
that his quantum storage is of limited size, namely of size at most a constant fraction of 
the qubits sent. Such a bound can also be applied to an external eavesdropper's quantum 
memory by slightly extending the respective original protocol. The underlying motivation 
for the BQSM is the fact that transmission and measurement of qubits is well within reach of 
current technology. Storing quantum information however requires keeping the qubit state 
stable under controlled conditions for a non-negligible time, which still constitutes a major 
technological challenge, and an attack would require large quantum storage with a long 
lifetime. In contrast, honest parties, following the protocol, do not need quantum memory 
at all. Furthermore, neither honest nor dishonest parties are bounded with respect to their 
classical storage or computing power. We want to stress that the impossibility results against 
the bounded-classical-storage model (see e.g. |Mau90[[M"au92[|CCM98[|DM04] ) do not hold 
in the quantum setting]^ Hence, the BQSM is realistic for fundamental physical reasons and 
potentially useful in practice. 

Many two-party applications investigated in the BQSM (like identification) are not nec- 
essarily required to run over large distances to be considered useful. Thus, such protocols 
can actually be implemented with existing devices, and many applications have been proven 
BQSM-secure [DFSS05 DFSS07 , Sch07 . We will work in this model in Chapter [gI where it 



constitutes one of the security layers in our quantum protocols. 



Common-Reference-String-Model. Another useful model, which we wih consider, is 
the common-reference- string-model (CRS-model). In this model, as the name suggests, the 
parties are provided with a classical common public string before communication, taken 
from some fixed distribution that only depends on the security parameter. For efficiency 
and composability, we will often assume the model to allow for techniques, which require an 
initially shared random string. However, we consider a random string "in the sky" a set-up, 
which is only theoretically useful. To meet more practical demands, we suggest in Chapter [8] 
a quantum-secure implementation of the CRS-model "from scratch" . 



2.3 Worlds 

Classical vs. Quantum World. We are interested in cryptography in the quantum 
world, covering both quantum and classical cryptographic protocol theory, which is evident 
in the separation of the thesis in the two main parts. Part IH] on quantum cryptography and 



Part HI on classical cryptography in the quantum world. Thus, throughout this work, we 
consider quantum potential — achieving very high security in the first case but also imposing 
new demands in the latter. In contrast, the (pure) classical world of cryptography does 
traditionally not assume adversarial quantum effects. However, we emphasize our very strong 



^The bounded-classical-storage model ensures security as long as the adversary's memory size is at most 
quadratic in the memory size of the honest players. A favorably larger gap between the storage assumptions 



on honest and dishonest parties was shown to be impossible DM04 . 
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requirement also for all classical protocols and proofs to be quantum-computationally secure, 
which implies both the exclusive use of post-quantum crypto-schemes, and the avoidance or 
carefully adaption of classical proof techniques. 

Ideal vs. Real World. For the definition of security, we work in two different worlds, 
which are captured in the two-world paradigm of simulation-based proofs. The basic idea of 
the paradigm is to first specify the ideal functionality J-' that models the intended behavior 
of the protocol, or in other words, the properties we would have in an ideal world. The ideal 
functionality can be thought of as a trusted third party or simply a black-box that gets private 
inputs from the players, accomplishes a specific task without leaking any information, and 
then outputs the result to the respective player. Honest and dishonest players in the ideal 
world are modeled by probabilistic poly-time machines, denoted by P and P', respectively. 
The real world captures the actual protocol 11, consisting of message exchange between the 
parties and local computations. Recall that real-world players are indicated by honest P and 
dishonest P'. 

Now, the input-output behavior of defines the required input-output behavior of 11. 
Intuitively, if the executions are indistinguishable, security of the protocol in real life fol- 
lows. In other words, a dishonest real- world player P' that attacks protocol 11 cannot achieve 
(significantly) more than an ideal- world adversary P' , attacking the corresponding ideal func- 
tionality J-'. We will make this aspect more formal in Section |3.6[ 



2.4 Primitives 



In the following, we will describe those two-party cryptographic primitives, along with some 
known facts about them, that are relevant in the context of this work. Primitives are fun- 
damental problems that are later used as basic building blocks in larger outer protocols. 
Discussed on their own, primitives might seem to be somewhat limited but still constitute 
intriguing thought experiments. For clarification, an identification scheme, as discussed in 
Section 2.4.3, may commonly not count as a primitive per se, although it may well consti- 
tute a building block in a larger outer protocol. Our prime purpose for introducing it in the 
context of primitives, however, is the close relation to oblivious transfer in its construction. 



2.4.1 Commitments 

Commitment schemes constitute a very important building block within cryptographic pro- 
tocols. In fact, all our protocols proposed here implementing a wide range of cryptographic 
tasks, make use of various types of commitment schemes, which may indicate the significance 
of the construction. Commitments can be realized with classical schemes or through quan- 
tum communication. Here, we will only discuss and construct commitments from classical 
crypto schemes, but with a strong requirement of quantum-computational security. 

Intuitively, a commitment scheme allows a player to commit to a value while keeping it 
hidden {hiding property), yet preserving the possibility to reveal the value fixed at commit- 
ment time later during the so-called opening phase ( binding property) . More formally, a basic 
commitment scheme commit (m, r) takes a message m and some random variable r as input. 
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Depending on the respective scheme, the message m can be a single bit {bit commitment) or 
a bit sequence {string commitment). The length of the randomness r is polynomial in the 
security parameter. It is also possible to construct a so-called keyed commitment schemes of 
the form commit k {m, r) , which takes key K as additional input. The most common way of 
opening commitment commit {m, r) to reveal the committed message m when time is ripe, 
is to send values m and r in plain, so that the receiver of the commitment can check its 
validity. In Chapter [9j we will change this way of opening a commitment, due to the special 
requirements of the particular construction there. 

The hiding property is formalized by the non-existence of a distinguisher able to distin- 
guish with non-negligible advantage between two commitments, i.e., we have indistinguisha- 
bility between two commitments with commit (mi, ri) ~ commit (m2, 'r2) . The binding 
property is fulfilled, if it is infeasible for a forger to open a commitment to more than one 
valid value, i.e., we have commit (mi,ri) ^ commit (m2,?"2) for mi ^ m.2- Each property, 
hiding and binding, can be satisfied unconditionally or subject to a complexity assumption. 
The ideal case of unconditionally secure commitments, i.e. unconditionally hiding and uncon- 
ditionally binding at the same time, is impossible. Consequently, we have to decide on one 
of the two flavors of commitment schemes, namely unconditionally hiding and computation- 
ally binding or unconditionally binding and computationally hiding]^ For completeness, it is 
worth noting that the same applies in quantum cryptography [May97yLC97 , where perfect 
commitments can only be achieved when assuming some restrictions on the adversary, for 



instance, the BQSM-model DFSS05,DFR+07 



In the context of oblivious transfer (OT; see Section 2.4.2), we know that a classical 
commitment does not imply classical OT without any additional requirement (such as key 
agreement). In contrast, a classical commitment implies quantum OT, which is all the more 
interesting as OT is complete for secure two-party computation. This implication in the 



quantum case was realized in CK88 and proven partially in Yao95 , May96 , CDMS04 . We 



will give the first full proof in Section 6.1 



Commitments are equivalent to one-way functions, i.e., a function / : {0, 1}* — )• {0, 1}* 
for which it is easy to compute f{x), given x. But given only y = f{x) where x is ran- 
dom, it is computationally infeasible in poly-time to compute any element in f~^{y). Thus, 
from an appropriate one-way function, secure against quantum adversaries, we can construct 
quantum-secure commitment schemes (e.g. |Nao91| ). Bit commitments, in turn, imply a 
quantum-secure coin-fiip, which we will show in Chapter [8| Naturally, the hiding, respec- 
tively binding, property holds with unconditional security in the classical and the quantum 
setting, if the distinguisher, respectively the forger, is unrestricted with respect to his (quan- 
tum) computational power. Recall that in case of a poly-time bounded classical distinguisher, 
respectively forger, the commitment is computationally hiding, respectively binding. The 
computationally hiding property translates to the quantum world by simply allowing the 
distinguisher to be quantum. However, the case of a quantum forger cannot be handled in 
such a straightforward manner, since the commonly used classical proof technique relies on 
rewinding the possibly dishonest committer, which is in general prohibited by the laws of 
quantum mechanics. 



'^Note that certain applications — beyond the scope of this work — have computational security simultane- 
ously for both properties hiding and binding. 



2.4. PRIMITIVES 



19 



Another restriction on rewinding occurs when committing to a string instead of a single 
bit. Solutions for proving string commitments secure are known for the classical case, but 
they cannot be adapted to the quantum world. Thus, solutions for quantum-secure constant 
round coin-flipping are yet to come (see Chapter [9] and also Section 2.4.4). 



2.4.2 Oblivious Transfer 

As already indicated, another highly relevant primitive in cryptography is oblivious transfer, 
commonly abbreviated by OT. Interestingly, the basic idea for OT was first proposed by 
Wiesner in the context of quantum cryptography, where he suggests conjugate coding as "a 



means for transmitting two messages either but not both of which may be received" |Wie83 



p. 79]. OT as a cryptographic concept was then introduced by Rabin (Rabin-OT in RabSl 



and Even, Goldreich, and Lempel (1-2 OT in |EGL85] ). OT is a complete cryptographic 



primitive, i.e., it is sufficient for secure two-party computation Kil88 , meaning that secure 
1-2 OT allows for implementing any cryptographic two-party functionality. 

In this work, we are mainly interested in 1-2 OT^, i.e. one [message] -out-of- two [messages] 
oblivious transfer, with message length £. In an 1-2 OT^ protocol, the sender sends two £-hit 
strings sq and si to the receiver. The receiver can choose which string to receive, i.e. Sc 
according to his choice bit c, but does not learn anything about the other message si-c- At 
the same time, the sender does not learn c, i.e., he does not learn which string the other 
party has chosen. 

As in the classical case, quantum OT cannot be implemented without any additional re- 



strictions, such as bounded quantum memory in the BQSM DFSS05 ,DFR+07 . However, in 



contrast to classical OT, quantum OT reduces to classical commitment, as already discussed 



before (more in Section 6.1). 



Rand-OT is a randomized variation of general 1-2 OT and essentially coincides, except that 
the sender does not input the two messages himself, rather they are generated uniformly at 
random during the protocol (and then output to the sender). For completeness, we note 
that Rabin-OT is another slightly varied but equivalent version of 1-2 OT , where the sender 
transmits a message s with probability 1/2. However, he remains oblivious about whether 
or not the receiver actually got s. Thus, Rabin-OT can be seen as a secure erasure channel. 

We conclude this introduction by mentioning two natural generalizations of 1-2 OT . First, 
1-n OT allows the receiver to obtain exactly one element out of a set of n elements. This 
application is similar to private information retrieval in database settings but constitutes a 
stronger notion than the latter, as it additionally requires that the user is oblivious to all 
other items (as in database privacy). An even further generalization is m-n OT , in which 
the receiver can choose a subset of m elements out of the entire set of size n. Interestingly, 



1-n OT underlies the construction of a quantum identification scheme in DFSS05 , which 
exemplifies the significance of the primitive. More details on this transformation are given 
in Section [2.4.31 

2.4.3 Password-Based Identification 



A password-based identification scheme (ID, in short) allows a user to identify himself to 
a server by proving his knowledge of a previously agreed secret password. In addition, we 
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will put forward the following security requirement: Any party that is not in possession of 
the valid password can (essentially) not succeed by any other means but trying to guess. 
This means that a user without password — or in other words, a user who pretends to be 
someone else — cannot delude the server with a probability that exceeds the probability of 
guessing the respective password. Similarly, the server can only guess a user's password 
and then learn whether the guess is correct or not — but no information beyond that. This 
in particular implies that the same password may be safely reused in further runs of the 
protocol. Furthermore, our aim is to develop a scheme that tolerates a possibly non-uniform 
password, or in short, a realistic user-memorizable password (such as a PIN code) without 
jeopardizing security. 

For reasons of their significance in any authenticated set-up, a wide range of classical 
and quantum ID-schemes can be found in the literature (see Section 6.2). Here, we will 
however focus on the quantum identification scheme, proposed in fDFSS05 and proven secure 
against any dishonest server with bounded quantum storage. Interestingly, in the context of 
primitives, it is constructed out of an extension of a randomized 1-2 OT^ to a randomized 
1-n OT ^. We will briefly sketch the intuitive idea here: Recall that such a 1-n OT ^ supplies the 
user with n random i-hit strings but yields only one of the strings on the server's side. Such a 
scheme can then be used for the purpose of identification, when the server "chooses" the one 
specific string indexed by the password, and the user proves which of the n strings obtained 
is the one with indices matching the password. Note that this last step of comparison must 
be secured by another cryptographic technique such as a hash-function and the strings must 
have large Hamming distance, which is not covered by the OT application itself. However, 
by the nature of secure OT, a dishonest user does not gain any information on the server's 
choice and thus, does not know which string is the one getting accepted. A dishonest server 
can likewise not do better than guessing a choice, and so the string he later receives from the 
user is most probably random to him and hence, contains no information on the password. 
We want to stress again that for simplicity, we skip many subtle but important details of the 
final ID-scheme as well as the means regarding better efficiency. More details are given in 
Section 6.2, where we propose an extension of the scheme towards higher and more diverse 
security. 



2.4.4 Coin-Flipping 

True randomness is a crucial ingredient in cryptographic applications. Therefore, coin- 
fiipping (or coin-tossing) is yet another essential primitive in this work. Secure coin-flipping 
allows two parties to agree on a uniformly random bit in a fair way, which means that neither 
party can influence the value of the coin to his advantage. Intuition suggest that this should 
be easily obtainable for an actual coin-toss if the parties met, flipped a coin together and 
simply looked at the outcome. Now, we want to achieve a similar fairness even when the par- 
ties are communicating over a distance. This problem was first formalized in cryptographic 
terms by Blum as coin-flipping by telephone |Blu81 . 

An ideal coin-flip can be modeled as follows: Each player inputs a bit of his choice, 
independently of each other, and the box then outputs the exclusive disjunction of the two 
bits as the coin. When implementing the primitive however, we must consider that one party 
must make a first move during communication, and therefore the other one may choose his 



2.4. PRIMITIVES 



21 



bit accordingly. The most straightforward way to achieve fairness also over a distance is by 
bit commitments as follows. The first player chooses a random bit xi and commits to it, the 
other one then sends his bit X2 in plain, then the commitment is opened, and the resulting 
coin is xi ® X2- Thus, bit commitment implies secure coin- flipping, since the first player is 
bound to his bit, but can still keep it hidden until the second player makes his move. 

Secure implementations for coin-flipping have been proposed also by means of quantum 
communication. For instance, solutions for a strong coin-flip with a potential, optimal coin 
bias of approx. 0.2 and for the weaker notation with arbitrary small bias. Note that in the 
quantum literature, "strong" or "weak" indicates weather the dishonest party cannot bias 
the coin more than specified or the dishonest party can influence the coin entirely towards one 
outcome but only by the specified bias towards the other value, respectively (see e.g. |Weh08 



for an overview). We want to stress that throughout this work, we use the (intuitive) literal 
interpretation of a "weak" and "strong" coin, indicating its degrees of security. 

We are interested in the standard coin-flipping protocol with classical messages exchange, 
but where the adversary is assumed to be capable of quantum computing. Even when 
basing the embedded commitment on a computational assumption that withstands quantum 
attacks, the security proof of the entire coin-flipping and its integration into other applications 
could previously not be naturally translated from the classical to the quantum world. We 
will propose a solution based on Watrous' quantum rewinding in Chapter [8} Certainly, the 
desirable protocol would be constant round, meaning that a string of coins can be flipped in a 
constant number of rounds, instead of having the number of rounds depending on the number 
of coins. Towards this aim, we present a framework that transforms weaker demands on the 
coins into very strong properties, with the final result of a fully simulatable coin-flipping 
protocol, secure against poly-sized quantum adversaries, which can be implemented in the 
plain model from scratch (see Chapter [9]). On a side note, implementing constant round 
coin-flipping is an open problem in the quantum setting. Interestingly, the first quantum 
application, namely quantum key distribution (QKD), enables two parties to produce a secret 
random bit-string (which is then used as a key in symmetric crypto-systems). However, 
by assumption on its purpose, the QKD-setting does not have to hold against an internal 
dishonest party. The requirements for secure coin- flipping are much stronger in this sense, 
and it turns out that in a typically QKD-protocol, the key could theoretically always be 
biased by one of the parties. 

We conclude here by stressing the importance of truly random, fair coins for crypto- 
graphic purposes. Namely, by producing a string of coins, the communicating parties can 
interactively generate a common random string from scratch. The generation can then 
be integrated into other (classical or quantum) cryptographic protocols that work In the 
common-reference-string-model. This way, various interesting applications can be imple- 
mented entirely in a simple manner without any set-up assumptions. We will discuss some 



examples thereof in Chapter 10 



2.4.5 Zero-Knowledge 

Informally, a zero-knowledge (ZK) proof system is "both convincing and yet yield nothing 



beyond the validity of the assertion" [GoUO [p. 1]. Thus, only this one bit of knowledge 



is communicated from prover to verifier. Such building blocks are typically used in outer 
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cryptographic protocols for enforcing that potentially dishonest players behave according to 
the protocol specification, namely, they are required to prove in zero-knowledge the correct- 
ness of a secret-based action without leaking the secret. As examples, we want to mention 
zero-knowledge proofs for Graph Isomorphism and Graph 3-Coloring, proven secure in the 



zero-knowledge, we refer e.g. to GolOl , Gol02, GoUO 



classical and quantum setting by GMW91 and Wat09 , respectively. For a survey about 



On a very intuitive level, such proof systems typically proceed in several rounds of a 
protocol. In each round, the prover must answer a challenge from the verifier which he does 
not know beforehand. In order to be able to answer all challenges in all rounds, the prover 
must know whatever he claims. We differentiate between proofs and proofs of knowledge. 
The respective definitions are given by two properties, which vary and are informally stated 
below. Loosely speaking, the distinction between proofs and proofs of knowledge is drawn 
in the content of the assertion: In a proof the prover claims the existence of an object. In 
contrast, in a proof of knowledge, he claims knowledge of an object. We stress that a proof 
of existence cannot be modeled via an ideal functionality in the natural way, whereas a proof 
of knowledge can. The third property of zero-knowledge does not differ in both systems. 

Zero-Knowledge Proofs. Informally, a zero-knowledge proof for set C on common 
input X yields no other knowledge than the validity of membership x G C, which holds if 
the following three requirements are satisfied. First, if the statement is true, i.e. x £ C, 
an honest verifier will be convinced of this fact by an honest prover, and thus accept the 
proof (completeness). This holds with overwhelming probability. Second, if the statement 
is false, i.e. x ^ C, a dishonest prover cannot convince an honest verifier of the contrary, 
except with low probability (soundness). And last, if the statement is true, a dishonest 
verifier learns nothing beyond this fact (zero-knowledge). The latter is shown by formally 
arguing that, given only the statement, a simulator can (by itself) produce a transcript that 
is indistinguishable from a real interaction between honest prover and dishonest verifier. The 
degree of indistinguishability then specifies the flavor of zero-knowledge. Note also that the 
first two properties are general aspects of interactive proof systems. However, in this context, 
they are defined in probabilistic terms, and we require the completeness and the soundness 
error to be negligible, at least after sufficient (sequential) repetitions. 

The notion of (interactive) zero-knowledge first appeared in |GMR85| by Goldwasser et 
al. Then in |GMW86] , it was shown that ZK proofs exist for any A/'P-language under the 
assumption that commitments exist, which in turn is implied in the existence of one-way 



functions Nao91 , HILL99 F Blum et al. showed that the interaction between prover and 



verifier in any ZK proof can be replaced by sharing a short common reference string available 



to all parties from the start of the protocol BFM88 . Note that a reference string is a 
weaker requirement than interaction. The requirement for non-interactive zero-knowledge 
is simpler than for general zero-knowledge, since all information is communicated mono- 
directional from prover to verifier. The verifier does not influence the distribution in the 



^As in standard literature, AfP {non- deterministic polynomial time) refers to the set of all decision prob- 
lems, where the "yes"-instances can be recognized in polynomial time by a non-deterministic Turing machine. 
The class V [deterministic polynomial time) contains all decision problems which can be solved by a deter- 
ministic Turing machine in polynomial time. Note that every set in V has a trivial zero-knowledge proof in 
which the verifier proves membership by himself. 
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real world. Thus, in the ideal world, we require a simulator that only produces output that 
is indistinguishable from the real distribution of the output. We will use such a generic 
construction in Section 10.1, where we show a simple transformation from non-interactive 
zero-knowledge to interactive zero-knowledge in the quantum world. 



Zero-Knowledge Proofs of Knowledge. Intuitively, a zero-knowledge proof of knowl- 
edge for relation TZ with common instance x and prover's private witness w yields no other 
knowledge to the verifier than the validity of (x, w) G TZ. Especially, it holds that witness 
w is not leaked. This is formulated by the following three requirements. First, if the prover 
follows the protocol and knows w, such that {x,w) G TZ, he will always convince the verifier. 
Note that this holds with probability 1, or in other words, completeness is defined deter- 
ministically rather than probabilistically. Second, if the (possibly dishonest) prover can with 
whatever strategy convince the verifier to accept, then he knows w. This holds, except with 
probability determined by the knowledge error, which again must be negligible in the length 
of the challenge {special soundness). Note here that in the context of machines, we interpret 
knowledge via behavior. In more detail, to define knowledge, we specify a knowledge extrac- 
tor for which it holds that if the extractor can extract w from the prover, for instance, by 
simulating two accepting conversations via rewinding, we say that the prover knows w. This 
idea prevents the prover to output the knowledge itself, and therewith, the last requirement, 
i.e. the property of zero-knowledge, capturing that a dishonest verifier learns (essentially) 
nothing, remains unchanged from the description above. 



The concept of proofs of knowledge was first introduced also in IGMR85 and formulated 



in greater detail in [BG92 . We will propose a quantum-secure zero-knowledge proof of 



knowledge based on simulatable witness encoding in Section 10.2 



S-PROTOCOLS. A S-protocol is a special case of the above, in that it is an honest-verifier 
zero-knowledge proof of knowledge. Such a protocol is of three-move-form, starting with the 
prover's message a^, followed by the verifier's challenge c^, and concluded with the prover's 
response z^. Its name originates from this form, as the "S" visualizes first the common 
input X, and then the flow of communication (from top to bottom). The flavor of honest- 
verifier zero- knowledge (HVZK), although weaker than general zero- knowledge, still allows 
for useful building blocks, which would be impossible to implement with a stronger notion in 
certain settings. As the name suggests, it captures a scenario in which, instead of covering 
any feasible verifier strategy, the verifier behaves honest (or rather honest-but-curious), and 
maintains and outputs a transcript of the entire interaction. 

By its nature of being a proof of knowledge, special soundness holds for a E-protocol, 
and therewith, that from two accepting conversations with different challenges a w can be 
extracted such that (x, w) S TZ. We will use an honest-verifier simulator as a black-box in 



Sections 4.1.4 and 7.2 to receive, on input x, a valid conversation (a^,c^,z^). Intuitively, 
the purpose of using S-protocols then lies in the fact that only one valid conversation could 
have been produced unequivocally without knowing the witness. 
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2.4.6 Secure Secret Sharing 



Secure secret sharing refers — as the name suggests — to a method for distributing one secret 
in several shares amongst the players. The secret can only be reconstructed by combining 
a sufficient number of shares (threshold) , but any individual share or any number of shares 
below the threshold does not contain any useful information on its own. 



Classical secret sharing schemes were introduced independently in Sha79 and |Bla79 



and quantum secret sharing was first proposed in HBB99 CGL99|. Classical secret sharing 



is an extremely powerful primitive and is widely used in multi-party computation. We will 
use secret sharing as a building block for equipping our mixed commitments with trapdoor 



openings (Section 7.3). This extended construction will then constitute one essential step in 
bootstrapping fully simulatable coin-flipping from weak coin-flipping (Chapter^. 



Quantum Tools 



Quantum refers to a discrete unit of a physical quantity at the smaUest scale, for which 
quantum mechanics constitutes the underlying mathematical framework. For the main part 
of this thesis, we will work with abstract mathematical objects, as our focus lies on theory, 
as opposed to realizing, for instance, a qubit as an actual physical system such as a "light 
quantum" , encoded by polarization of a photon. 

In this chapter, we give an overview of the aspects of quantum mechanics, essential for 
this work. The connection between the mathematical description and physical reality is best 



reflected in the postulates of quantum mechanics, which are covered in Section 3.1 This 



section is also intended to fix the terminology we will use later on. Next, we will describe 



distance measures (Section 3.2) and uncertainty measures ( Section |3.3|). Then we will discuss 



the concept of information reconciliation and privacy amplification (Section 3.4) as well as the 



problems of rewinding in general quantum systems and the technique of quantum rewinding 



(Section 3.5). Finally in Section 3.6, we will introduce the definitions of security, which 



underlie all our following main results. 

3.1 Postulates and Terminology 

We now briefiy introduce the field of quantum mechanics on the basis of its postulates, cap- 
turing quantum-physical events and processes in mathematical formalisms. We will closely 



follow the descriptions given in NCOO and refer thereto for more details 



CO 

w 
o 



Description of an isolated system. A general d-dimensional quantum state, where 
d G N, is described mathematically by a positive semi-definite density matrix p defined in 
the complex Hilbert space of dimension d, i.e., a complete inner product space denoted by 
1-L(l- The standard notation to write a pure quantum state is represented in Dirac's hra-ket 
notation by a vector as |^') S T-Ld^ and is given, for complex coefficients ai S C, as 

d-i 

\m) = Y^a,\i). (3.1) 

i=0 

The orthonormal basis is denoted by the set {|0), . . . , |d — 1)}, i.e. the linearly independent 
spanning set of mutually orthogonal unit vectors. The form of a pure state as given in 



Eq. (3.1) as linear combinations nicely reflects an interference phenomenon unique to the 



quantum world, namely the superposition of basis states. Informally speaking, it highlights 
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the fact that a quantum particle is in all possible basis states at once. And thus, a complete 
description of such a particle must include the description of every possible state as well as 
the probability of the particle being in that state, given by |aip for each respective By 
the normalization condition, the total sum of probabilities, i.e. jajp, equals 1. 

A mixed quantum state is a statistical ensemble of pure states {A^, where again 
forms a basis, and can be represented as density matrix by 

i 

with eigenvalues Aj and eigenstates Again, it holds that the system is in state |i) with 
probability A^, where Aj > and, by the normalization condition, we have J2i = ^■ 

More specifically, a qubit is a two-dimensional pure quantum state living in ^2- The 
computational basis (also called + -basis, standard basis, canonical basis, or rectilinear basis) 
is defined by the pair {|0), where 

|0) = ( J ) and |1) = J ) . (3.3) 

The pair {|+), |— )} denotes the diagonal basis (also named the x -basis or Hadamard basis), 
where 

1+) = (|0) + |l))/^/2 and (3.4) 
|-) = (|0)-|1))/V2. (3.5) 

Another common denotation is {|0)_^, for the computational basis and {10)^,11)^} 

for the diagonal basis. We use {-|-, x} as shorthand to refer to the set of these two most 
commonly used conjugate bases. 



Evolution in a closed system. The dynamics that apply in a closed systems as de- 
scribed above are captured in the description of a unitary transform U. U is unitary, if it holds 
that U^U = I. Unitary operations preserve inner products between vectors, which yields their 
more intuitive expression in outer product representation as follows. Define \outi) = U|mi) 
to be the transformation from "input" basis {|mi)}i into "output" basis {\outi)}i. Then, 

U = \outi){ini\ . (3-6) 

i 

Prom the requirement of unitarity, it is evident that such a transformation must be reversible. 
That means that undoing operation U on \in) corresponds to applying its inverse on \out) 
and recreates \in). 

For completeness we note that, although part of this postulate, we will not consider the 
refined version of time evolution, defined by the Schrodinger equation. 

In the more specific case of single qubits, the transformation from the computational 
basis to the diagonal basis, and vice versa, is obtained by applying the Hadamard operation 
H, where 
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and note that H = H^". The two-dimensional Identity operator I is represented by matrix 



I 



1 
1 



other important operations are described by the Pauh matrices 

and o"z = 



1 

1 



(3i 



(3.9) 



Operator (Jx describes a bit-flip. Matrix az defines a phase-flip operation, adding a phase 
factor of -1 for non-zero entries, and otherwise leaving the bit invariant. For completeness, 
we also explicitly state 

■ -i 
i 



(3.10) 



but note that cry = ioj^az- 

The controlled-NOT operation CNOT is a combination of I and (Tx and is defined for two 
input qubits as 

/ 1 \ 
10 
1 

V 1 y 

Thus, if the control qubit is 1, CNOT flips the target qubit. Otherwise, I is applied to the 
target qubit. Or in other words, the value of the second output qubit corresponds to the 
classical exclusive disjunction (XOR). 



CNOT 



(3.11) 



Quantum measurements. To extract information of a quantum system, it must be mea- 
sured. The following descriptions of measurements illustrate the irreversible nature of quan- 
tum measurements in general, and therewith, the disturbance caused by observation. In 
other words, some information about a state before measurement is lost after measurement. 
This fact stands in sharp contrast to the reversible transformations within a closed system 
as described previously. 

Quantum measurements are described by a collection of measurement operators Ai = 
{Mm}m) where m denotes the measurement outcome. The probability Pr [m] to obtain out- 
come m when measuring state with A4 is given by 

PrH = (V'lMt^M^lV'), (3.12) 

with completeness equation X]m^^m^"i ~ equivalent, X^m (V'l^^mMmlV') = 1- Condi- 
tioned on having obtained m, the post-measurement state must be renormalized to 




(3.13) 



We also want to stress that quantum measurements do not necessarily commute, that means 
that different measurement orders may yield different measurement outcomes. 
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If all operators are orthogonal projectors, denoted by = ^In^m, we call the mea- 
surement projective and M = mPm its observable. The respective probability and post- 
measurement state are then given by 

Pr[m] = (V'iPmlV') (3.14) 

and 



Pm I 



Y^Pr [m] 



(3.15) 



Measuring in basis {|?Ti)}m means to apply a projective measurement defined by projectors 
Pm = \m){m\. 

When only specifying mappings = Mm Mm, we obtain an expression in the positive 



operator-valued measure formalism (POVM), similar to Eq. (3.12), namely, 

Fv[m]=tv{Emp), (3.16) 
where £ = {Em}m is the POVM, denoting the set of Hermitian operators such that J2m ~ 



I and Em > 0. This formalism is simpler than the general expressions in Eqs. (3.12) 



and (3.13), but sufficient for many purposes, as it yields simple measurement statistics. 
It also becomes evident here that for a complete description of measuring the observable of 
a quantum system, the formulation of a quantum system must include uncertainty in that 
the probability for all possible outcomes must be encoded in it. 

Again more specifically, measuring a single qubit in the computational or diagonal basis 
means applying the measurement described by projectors |0)(0| and |1)(1| or projectors |+)(+| 
and |— )(— I, respectively. We want to point out a very important consequence of using such 
conjugate bases (also called mutually unbiased bases). Measuring a qubit, prepared in one 
of two conjugate bases, is equivalent to distinguishing between two non-orthogonal quantum 
states. Non-orthogonal states however cannot be distinguished (with arbitrary precision), 
which can be derived from the above formalisms. Thus, any measurement must destroy 
information and therewith disturb the system — except, of course, a measurement of a basis 
state in its own basis. In other words, a state with fixed measurement outcome in one basis 
implies maximal uncertainty about the measurement outcome in the other basis. 

Composite systems. The joint state of a multipartite system in Tif^ is given by the tensor 
product (X" • • • For simplicity, we consider a bipartite joint state pab £ 'H^ (^H^ 

shared between Alice and Bob, i.e., 



PAB 



with orthonormal bases for Ti^ and {Ij)^}^ for Ti^ . The form of the state in Eq. (3.17) 

indicates a product state, which is separable, since it can be decomposed into two definite 
pure states. 

For string x = (xi, . . . , a;„) G {0, 1}", encoded in bases 6 = {9i, . . . , On) G {+, x}", we 
write \x)q = \xi)q^ ■ ■ ■ ® \xn)g^- For 5 C {1, . . . , n} of size s, we define x\s G {0, l}** and 
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9\s £ {+, x}^ to be the restrictions {xi)i^s and {9i)i^Si respectively. If all qubits are encoded 
in the same basis 9 G [+, x], then = |xi . . . Xn)g. 



In contrast to the product states of Eq. (3.17), we can also have pure composite systems 
in some entangled states of the form 



PAB 



Y.^i3\^A\3)B (3.18) 



with 7^ ai(5j. Entangled components mean that they can only be described with reference 
to each other. Special cases thereof are the maximally entangled EPR-pairs (or Bell states): 



|$)oo = (|00) + |ll))/V2, 

1$),, = (|00)-|11))/V2, , . 

|cD)o, = (|01) + |10))/V2, and 
|$)io = (|01)-|10))/V2. 



Important for cryptographic purposes are the following observations. First, as Eq. (3.18) 
indicates, upon observing one of the two particles, entangled in one single state, the system 
will collapse, and thus, the other particle will at least partially be determined — even though 
the particles may be spatially separated. On a side note, the outcome of the first measurement 
is random, and therewith the state, to which the composite system collapses into, is so as 
well. Hence, information (i.e. a non-random message) cannot be transmitted faster than 
the speed of light by shared entanglement. Second, entanglement is basis-independent, e.g. 

= (|00) + |ll))/\/2 = {\++) + I ))/\/2 . And last, if an entangled state pab is pure, 

then it cannot be entangled with any other state, for instance, one in Eve's hands, so it 
holds that pabe = PAB <^ Pe- Thus, under the assumption of it being pure, entanglement is 
monogamic. 

Subsystems of a composite system can be described by the reduced density operator com- 
puted by the partial trace. Let pab = (|ai)(o2| (X" |bi)(^2|) and assume that only subsystem 
A is accessible. Then, we have 

tvB{pAB) = {b2\bi)\ai){a2\. (3.20) 

Trivially, when tracing system B out of a product state, we have pab = trsipA (X" Pb) = PA- 
However, the reduced density operator in an entangled EPR-pair is a complete mixture with 



trace distance 1/2 (see next Section 3.2). Thus interestingly, the joint state of two entangled 
qubits is pure and can be completely determined, yet its subsystems alone are completely 
mixed. 



3.2 Distance, Distinguishability, and Dependence 

We will need various measures to determine the distance between classical and quantum 
states. Distance measures possess an important operational meaning in the context of dis- 
tinguishability between two systems. 
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Distance. For classical information, the distance between two binary strings of equal 
length can be measured by means of the Hamming distance dn, which is the number of 
positions at which the strings differ, or more formally, for strings x,y G {0, 1}"", we have 

dnix, y) ■■= \{i : Xi / yi}\ . (3.21) 

We will also need the relative Hamming distance 

dH{x,y) 

rH{x,y)-= . (3.22) 

n 

For completeness, we note that the Hamming weight wh is the Hamming distance to x from 
the all-zero string (of same length), i.e. wh{x) := \{i : xi = 

In the classical world, the statistical or variational distance between two classical prob- 
ability distributions P and Q over the same finite set X with events E <Z X \s determined 
by 

Q)-=\yi l^(^) - = ™ax \P{E) - Q{E)\ . (3.23) 

A measure of proximity is given by the fidelity 

F{P, Q) := VPi^)Q{x) ■ (3.24) 

The classical notions of distance and fidelity can be generalized to the distance and 
proximity of two quantum states p and a. The quantum analogue to the classical distance 
in Eq. (3.23) is the trace distance, given as 

S{p,a):=\tT{\p-a\), (3.25) 



where |^| = V A^A is the trace norm of any operator A. The notion of fidelity translates to 
quantum fidelity by 



F{p,a):=tT^^a^. (3.26) 

The relation between classical variational distance and quantum trace distance can be made 
more explicit by 

6{p,a) = max 6{£{p),£{a)) , (3.27) 

where the maximum is taken over all POVMs £, and p, a indicate the probability distributions 
obtained when measuring p or a using £. Moreover, it is worth pinpointing that, for mixtures 
of pure quantum states p = Wi){i\ and a = 7i\i){i\ with same orthonormal basis {\i)}i 
but potentially different eigenstates A, and 7^, the quantum measure naturally reduces to 
the classical one between the eigenvalue distributions A = {Aj}j and 7 = {7j}j by 

6{p, a) = ^ tr |p - a| = ^ I - 1 = 2^1^^-^^! = ^) • (^.28) 
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A similar reduction can be obtained for the fidelity. 

Trace distance and quantum fidelity are, in general, equivalent concepts — but with partly 
different characteristics and properties, so we will use one or the other, depending on the 
respective context (see |FvdG99" or NCOO for a more detailed discussion). However, they 



are closely related in that we have 



1 - F{p, a)<5{p,a)<Jl- F{p, . (3.29) 



For pure states p = and a = \4>){(l)\, expressions ( |3.25[ ) and (3.26) simplify to 



6{p,a) = yr^KVW and F{6,a) = , (3-30) 

where the latter can be seen as transition probability. Furthermore, the fidelity measure for 
a pure state p = \ip){tp\ and an arbitrary quantum state a is given by 



F{p,a) = V(V'kl^), (3.31) 
and shows that the square root of the overlap between the states determines the fidelity. 

DISTINGUISHABILITY. The importance of both quantum measures is due to their opera- 
tional meaning of distinguishability. The fidelity can be seen as an "upside down" trace 
distance in that the limits and 1 in < -F(p, a) < 1 meaning perfectly distinguishable 
and perfectly indistinguishable, respectively. In contrast, the trace distance < 6(^p,a) < 1 
increases for decreasing indistinguishability, such that we get (5(/3, o") = for p = a and 
6[p, fj) = 1 for p orthogonal to a. 



Coming back to Eq. (3.27) in this context, it is worth noting that the POVM £ that 
achieves the maximum is the optimal POVM for distinguishing p and a. Furthermore, 
we want to single out two important properties by means of the trace distance. First, we 
have unitary invariance with 6{p,a) = (5(U/9U^Uc7Ut), meaning that the distance between 
the states does not change when a unitary operation U is applied to both of them. And 
second, any trace- preserving quantum operation T is contractive (monotonicity under quan- 
tum operations) with (5(t(/>), T(o")) < 6[p,a). Informally, no physical process can achieve 
an increased distance, or in other words, no modification on the states can help to bet- 
ter distinguish two states. An important special case relating the partial trace shows that 
S[trB{pAB)yi^Bio'AB)) < ^{pab,(^ab), which again informally states that two systems are 
at least as hard to distinguish when only a part of them is accessible. 

Two families of probability distributions {PnjneN and {Qn}neN are called perfectly in- 

P 

distinguishable, denoted by P « Q, if their output distributions on each input are identical, 
namely Pn = Qn for all n E N. In other words, an unbounded adversary cannot distinguish 
the outcomes, which holds with probability 1. Relaxing this condition defines statistical indis- 
tinguishability (P ~ Q), which holds if the statistical distance (5(P„, Qn) is negligible (in the 
length of the input). This covers the setting, in which an unbounded adversary cannot dis- 
tinguish the outcomes, except with negligible probability. For 5(P„, Qn) < and therewith, 
indistinguishability except with probability e, we also call the distributions e-close. Thus, 
perfect and statistical indistinguishability are defined in the information-theoretic sense and 
we call the resulting security fiavor unconditional. 
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In the computational setting, we require that the two distributions cannot be distin- 
guished by any computationahy efficient procedure. More formahy, let 
Pr [A{P{x)) = l\x <— P] denote the probability that an algorithm A is successful in that 
it outputs "P" , if the input x comes from P, and analogue for Q. To claim computational 
indistinguishability between P and Q, denoted by P ~ Q, for any probabilistic poly-time 
algorithm A, it must hold that the (distinguishing) advantage adv, i.e., 

adv{A) = I Pr [A{Pn) = 1] - Pr [A{Qn) = 1] | , 

is negligible in the length of the input. Quantum- computational indistinguishability {P !v Q) 
is defined similarly for the case of a quantum algorithm A. In other words, (quantum) 
computational security holds with overwhelming probability against a poly-time (quantum) 
adversary. 

Consider a quantum algorithm consisting of a uniform family {Cn}neN of quantum cir- 
cuits, which is said to run in polynomial time, if the number of gates of C„ is polynomial 
in n. Then, two families of quantum states {pnjneN and {(yn\n&i are called perfectly indis- 
tinguishable with p ^ cr, if 5{^pm o"ri) = in the case of unrestricted running time. We have 

statistical indistinguishability with p « a, if 5(pn) Cn) < for e negligible in n, and without 
any restriction on the running time. Again, for S{p,a) < e, we call the quantum states 
e-close — or indistinguishable, except with probability e. Then, to prove sufficient closeness 
between an ideal system and the real state, we require e to be negligible (in the security 
parameter). Last, we have quantum- computationally indistinguishable, denoted by p « a, 
if any polynomial-time quantum algorithm has negligible advantage e of distinguishing p„ 
from an- 

Dependence. We will often use upper case letters for random variables (for proofs) that 
describe respective values (in the actual protocol). Let Px denote the probability distribution 
of a classical random variable X e X over finite set X. 
Let 

Px = 5]Px(x)|x)(x| (3.32) 

denote the quantum representation of the classical random variable X. Let pg denote a state 
in register E, depending on value x £ X of random variable X over X with distribution Px- 
Then, from the view of an observer, who holds register E but does not know X, the system 
is in state 

PE = ^Px(x)p|, (3.33) 

where pE depends on X in the sense that E is in state pg exactly iS X = x- 

Independence in a bipartite joint state with classical and quantum parts can be expressed 

as 



PXE = Yl Px{x)\x){x\ (g) p| . 



(3.34) 
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Such a state is formally called a cq-state. Note that naturally, pE = trx{pxE) = Ylx Px{x)p%-, 
and that the notation can be extended to states depending on more classical variables, i.e. 
ccq-states, cccq-states etc. Full independence of classical and quantum parts within one state 
is given iS p^ = pE for any x and therewith pxE = Px ® Pe- This means in particular that 
no information on X is gained by observing only pE- However, full independence is often 
too strong a requirement. For our purposes, it suffices that the real state is close to the ideal 
situation. 

Last in this context, we want to express that a random variable X is independent of 
a quantum state pE when given a random variable Y . Independence in this case means 
that, when given Y , the state E gives no additional information on X. Yet another way to 
understand conditional independence is that E is obtained from X and Y by solely processing 



Y . Formally, adopting the notion introduced in DFSS07 , we require that pxYE equals 
Px^Y-ir^Ei where the latter is defined as 

px^Y^E ■■= '^PxY{x,y)\x){x\ (g) \y){y\ ® p\ , (3.35) 

where /9| = Px\Y{x\y)p''^'" . In other words, pxYE = px^Y^E precisely if = for 
all X and y. 



3.3 Entropies 



Entropies are useful measures of "information, choice and uncertainty" . We will give a brief 
recap here, only covering the concepts most important in the context of this work. For a 



general introduction we refer to e.g. NCOO , Ren05 , Sch07 for more details and proofs. 
The Shannon entropy |Sha48 



H{X) := - log ( j;Px(a;) ] = - J^p.logp, 

\ X / X 



(3.36) 



applies to a classical probability distribution Px over X with probabilities px, and as such 
quantifies the information gain on average after learning X, or complementary, the average 
uncertainty before learning The binary version thereof, namely the binary entropy 

function, is defined for the case of two possibilities as 



h{n) := - (/i log(^) + (1 - /i) log (1 - p)) 



(3.37) 



with < p < ^. We will use that, given the ball of all n-bit strings at Hamming distance at 
most iin from x, denoted as B'^"(x), we have that |B^"(x)| < 2^^^^^^. 

For a cryptographic scenario with not necessarily independent repetitions, its generaliza- 
tion is given by the Renyi entropy |Ren61 of order a as 



HaiX) 



a 



(3.38) 



^Note that the logarithmic base is 2 for a result in bits. 
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for a > 0. Note that the Shannon entropy is the special case for hmit a — )• 1. 

The joint entropy of a pair of random variables {Xq,Xi) measures the total uncertainty 
about the pair and is naturally defined as 

H(X„Xi) = - log I V Px.x, (n, I . (3.39) 



\a;o,xi 



Assume now that Xi is learned, and therewith, H(Xi) bits of information about {Xq,Xi). 
Then, the remaining uncertainty of Xq, conditioned on knowing Xi, is given by the condi- 
tional entropy 

H{Xo\Xi) := H{X,,Xi) - H{Xi) . (3.40) 

Renyi entropies can also be defined for the quantum world, i.e., where a density matrix 
p replaces the probability distribution, and we have 

/7«(p):=-^log(tr(p")), (3.41) 
1 — a 

for a G [0, oo]. The von Neumann entropy is then given by 

H{p):=-tr{plogp), (3.42) 

which corresponds to the Shannon entropy when measuring quantum state px in basis 
or in other words H{p) = — log A^, where Aa: are the eigenvalues of px- 

Thus, it naturally holds that Ha{px) = Ha{X), whenever classical variable X is encoded in 
quantum state px- 

A special entropy measure is obtained when taking the limit a — )• oo, namely the min- 
entropy. The notion of min-entropy is used in the context of randomness extraction and 
privacy amplification in the presence of a dishonest receiver or an eavesdropper on the trans- 



mission (see Section 3.4). Intuitively, the (classical) min-entropy is determined by the highest 
peak in a distribution, and therewith, describes the maximum amount of potentially leaked 
information, which in turn formalizes security for cryptographic applications in the worst 
case. In other words, the min-entropy measures the probability of an adversary's best guess 
about an unknown value. 

Definition 3.1 (Min-Entropy) Let X be a random variable over alphabet X with proba- 
bility distribution Px- The min-entropy of X is defined as 

Hoo{X) = -log(maxPx(x)) . 

Another important special case is the max-entropy with values for a approaching zero. 
Its definition captures a Renyi entropy, in which all possible events are considered equally, 
regardless of their probabilities. Its operational meaning lies in information reconciliation 



(see also Section 3.4). 



Definition 3.2 (Max-Entropy) The max-entropy of a density matrix p is defined as 

Hq{p) = log(rank(/j)) . 
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For completeness, we note that another notion of Renyi entropies with a (non-negative) 



smoothing parameter e was introduced in Ren05 , RW05[ . Intuitively, it holds that for two 
random variables Xq and Xi with almost the same probability distribution (e.g. Xq = Xi 
with high probability), the difference between H^{Xo) and H^{Xi) is small. However, in 
this work we will only use the "un-smoothed" Renyi entropies as discussed above. 

Last, we conclude with the following lemma, which we will need in the context of oblivious 
transfer. Informally, it states that if the joint entropy of two random variables Xo and Xi is 
large, then at least one of them has half of the original entropy — in a randomized sense. 



Lemma 3.1 (Min-Entropy-Splitting Lemma Wul07,DFR+07 ) Let Xo,Xi be ran- 
dom variables with Hoo{XqXi) > a. Then, there exists a binary random variable K G {0, 1} 
such that Hoo(Xi-kK) > a/2. 



3.4 Information Reconciliation and Privacy Amplification 

Errors and eavesdropping affect the communication in our quantum protocols such that 
the honest parties might end up with bit-strings of measurement outcomes that differ or 
have leaked in some positions. Countermeasures were proposed already in the first practical 



implementation of QKD BBB"'"92 . The honest parties first reconcile their shared data by 
public discussion to obtain consistent strings. Note that this process has to be accomplished 
without revealing more information than absolutely necessary to an adversary eavesdropping 
on the public (classical) channel. The simplest procedure involves a test on a subset of all 
shared (qu)bits to compute the error rate, i.e., the relative number of all positions with 
different outcomes. In that case, these publicly announced bits must later be discarded, 
which in turn means that more qubits have to be sent at the beginning of the protocol. 
According to the error rate in the testset, error correction must be applied to the untested 
remaining set. Since the transmission of qubits is very efficient in practice and good error 
correction techniques are known, we will use this simple technique in our quantum protocols. 
After successful reconciliation, the honest parties are in possession of identical bit-strings. 



To turn these strings into completely secure ones, privacy amplification BBR88 can be 



applied, which intuitively distills a shorter but (essentially) private shared string. More 



concretely, privacy amplification employs two-universal hashing (see Definition 3.3) to trans- 
form a partially secret string into a highly secure "hashed down" string, about which any 
adversary only has negligible information and which looks essentially random to him. Note 
that two- universal hashing also works against quantum adversaries, i.e., in the case when 



the attacker holds quantum information about the initial string KMR05 RK05 ,Ren05]. In 
fact, it is essentially the only efficient way to perform privacy amplification against quantum 
adversaries. 

Definition 3.3 (Two-Universal Hashing) A class T : {0, 1}" — )• {0, 1}^ of hashing func- 
tions is called two-universal, if for any pair x,y £ {0, l}*^ with x ^ y, and F uniformly 
chosen from T , it holds that 

Pr[F(x)=F(y)]<l. 
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In the sHghtly stronger notion of strongly two-universal hash- functions, we require the random 
variables F{x) and F{y) to be independent and uniformly distributed over {0, 1}^. 

Let classical X be correlated with classical part U and quantum part E, i.e., pxuE = 
X^a;e{o 1}" Px{x)PijE- ^et F be a hash-function chosen uniformly from F. After applying F 
to A", we obtain the cccq- state Pf{x)fue of form 



Pf{x)fue 



E 

e{o,i}^ 



Px{x)puE- 



(3.43) 



The basic theorem for privacy amplification in the quantum world was introduced in iRKOSl 



and [Ren05 , and confined in Sch07| . Here, we give the version from Sch07, Corollary 2.25] 
but in its un-smoothed form and tailored to our context. 



Theorem 3.1 (Privacy Amplification) Let pxuE be a ccq-state with classical X dis- 
tributed over {0, 1}", classical U in the finite domain U, and quantum state pE- U and pE 
may depend on X . Let F be the random and independent choice of a member of a universal-2 
class of hash-functions F : {0, 1}" — t- {0, 1}^. Then, 

S{pFiX)FUE,i.t^PFUE) < ^2-H^^(^l^)-^o(p.)-.) . 

Note that if the rightmost term of the theorem is negligible, then we are in a situation where 
F{X) is essentially uniform and independent of F and E. 



3.5 Rewinding 

We require for classical schemes in the quantum world that quantum computation does not 
jeopardize the underlying mathematical assumption that guarantees the security. But we 
encounter even more setbacks in the context of actually proving a cryptographic protocol 
secure in a quantum environment, which in the realm of this work are mostly due to the 
strong restrictions on general rewinding — a common proof technique for showing the security 
of different protocols in the computational setting. 



3.5.1 Problems with General Rewinding 

Recall that in the context of simulation-based security, we prove security against a cheating 
player by showing that a run of a protocol between him and the honest player can be efficiently 
simulated without interacting with the honest player but with a simulator instead. Basically, 
such a simulator prepares a valid conversation and tries it on the dishonest party. In case this 
party does not send the expected replies, a classical simulator rewinds the machine of the 
corrupted player to an earlier status and repeats the simulation. Note that if the dishonest 
party sends an invalid reply, the simulation is aborted. To conclude the proof, we then show 
that the running time of the simulation as well as the distribution of the conversation are 
according to expectations. 

Such a technique, however, is impossible to justify in the quantum world. Generally 
speaking, the simulator had to partially measure the quantum system without copying it 
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beforehand to obtain the protocol transcript. But then it would become impossible to recon- 
struct all information necessary for correct rewinding. The problem of rewinding in general 
quantum systems was originally observed in |Gra97 , detailed discussions can also be found 



e.g. in DFS04 Wat09 . In the context of this work, there are two relevant rewinding settings. 

The first setting applies to simulations intended to collect several transcripts of conversa- 
tions. An example thereof is the classical simulation for protocols with embedded computa- 
tionally binding commitments. Recall that computational binding means that if a dishonest 
party can open a commitment to two different values, then the computational assumption 
does not hold. In a classical simulation, the simulator simulates a run of the outer protocol 
with the committer, such that the latter outputs a valid commitment and later provides a 
correct opening. Now, the simulator has the possibility to rewind the player to a point after 
the commitment was sent and repeat the simulation, which can be adapted to the simulator's 
knowledge of the committed value. The event of obtaining a different opening for the same 
commitment in this second run implies the inversion of the underlying one-way function, 
which is assumed to be infeasible. In such a simulation, the simulator must store the previ- 
ous transcript before rewinding. Another example of this setting occurs when proving special 
soundness in a proof of knowledge. There, a classical simulator simulates a run of a protocol 
against a dishonest prover. It then keeps a transcript of the simulation and rewinds him. 
From two accepting conversations, the simulator can extract the prover's witness. Again, 
the simulator must store transcripts of the communication before rewinding. 

The second setting requires the simulator to rewind the dishonest player to the beginning 
of a protocol, if the reply from the dishonest party does not match the prepared outcome of 
the protocol such that both sides conclude on the ideal values as their result. This setting 
applies, for instance, when proving an outer protocol with an embedded computationally hid- 
ing commitment secure. Fortunately, if such a simulation complies with a restricted setting, 
the newly introduced quantum rewinding lemmas of |Wat09| can be applied. Therewith, 
rewinding is possible in a restricted quantum setting. We will discuss this technique in more 
detail in the following section, but in short, it requires a one bit reply from the dishonest 
party (e.g. a bit reply to a previous bit commitment), the simulation circuit must be unitary, 
and in case of rewinding, we do not intend to keep intermediate transcripts nor collect all 
possible results (see Section 3.5.2). Unfortunately, we do not know how to translate this 
technique to a multi-bit reply, while keeping the running time of the simulator polynomially 
bounded. In that case, the classical simulation would again reduce to the first setting above, 
in which the simulator must store previous transcripts, namely a previous message from the 
dishonest party that commits him to his multi-bit reply beforehand. 



3.5.2 Quantum Rewinding 

Recall that we consider the second setting of the previous section. In a classical simulation 
against dishonest Bob, a poly-time simulator guesses, for instance, a valid reply b' of dishonest 
Bob and prepares the protocol transcript according to it. When the simulator finally receives 
Bob's actual reply b, it checks if the values coincide (6 = 6'), i.e., if its guess was correct and 
therewith, if the simulation was successful. If that is not the case, the simulator rewinds 
Bob and repeats the simulation until b = b' . No previous information has to be stored nor 
collected. 
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Recently, Watrous proposed a quantum analogue of such a simulator with the potential 
of rewinding, and proved therefore, that quantum zero-knowledge is possible in an unre- 
stricted model. We will sketch the most important aspects of his construction here but refer 



to [Wat 09 for further details and proofs. More specifically, Watrous proved how to con- 
struct a quantum zero-knowledge proof system for Graph Isomorphism and introduced two 
so-called quantum rewinding lemmas; one for an exact setting and one that holds for slightly 
weaker assumptions and therewith covers a scenario with perturbations. The investigated 
protocol proceeds as a S-protocol, i.e., a protocol in three-move form, where the verifier flips 
a single coin in the second step and sends this challenge to the prover. Thus, the setting 
applies to the case where the reply b from above is a single bit. This will also be the case 
for our simulation in Chapter [8| and therefore, we can use Watrous' result in a black-box 
manner. Unfortunately, we do not know how to translate his technique to a multi-bit reply, 
while keeping the running time of the simulator polynomially bounded. 

The quantum rewinding procedure is implemented by a general quantum circuit R, which 
receives Bob's input registers (W,X^, where W contains any n-qubit auxiliary input {tp) and 
X is a working register, initialized to the all-zero state of size k. As a first step, R applies a 
unitary quantum circuit Q to all registers to simulate the conversations, obtaining as output 
a multi-qubit register Y and a single-qubit register G. Register G contains the outcome of 
the CNOT-operation on the dishonest party's bit b (as control) and the simulator's guess b' . 
Thus, by measuring this register in the computational basis, the simulator can determine 
whether the simulation was successful. 

In more detail, the transformation from (W, X) to (G, y) by applying Q can be written 

as 

Q\i')w O'') ^ = VP\0)G\KodmY + V^\^)G\^badmY , 

where < p < 1 and \4>goodk4')) denotes the state, we want the system to be in for a successful 
simulation. The qubit in register G is then measured with respect to the standard basis, 
which indicates success or failure of the simulation. A successful execution (where b = b') 
results in outcome with probability p. In that case, R outputs Y. A measurement outcome 
1 indicates b b' , and hence, implies an unsuccessful simulation. In that case, R quantumly 
rewinds the system by applying the reverse circuit , and then a phase- flip transformation 
(on register X) before another iteration of Q is applied, i.e.. 



Q{ 2 1 



Q^l)G\(l)badmy 



= 2Vp(l-p)|O)Gl0good(V'))y + (1 " 2p) | l)c|0fe„rf(^))^ . 

Thus, after this rewinding, the amplitudes of the "good" and the "bad" states are increased 
and decreased, respectively. Thus, a measurement of register G in the computational basis 
will result in outcome with higher probability 4p(l — p). Note that for the special case 
where p equals 1/2 and is independent of {ip), the simulation terminates after at most one 
rewinding. 

Watrous' ideal quantum rewinding lemma (without perturbations) then states the follow- 
ing: Under the condition that the probability p of a successful simulation is non-negligible 
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and independent of any auxiliary input, R is poly-time and its output pltp) has square- fidelity 
close to 1 with state |0good(V')) of a successful simulation, i.e., 

{4>goodW\pW\4>goodW) > 1 " £ , 

with error bound e > 0. 

However, we cannot apply the exact version of Watrous' rewinding lemma in our simula- 
tion in ChapterjSj since we simulate against a dishonest party with an underlying commitment 
that only provides quantum-computational hiding against this party. Therefore, we can only 
claim that the party's input is close to independent from the probability p. In other words, 
we must allow for small perturbations in the quantum rewinding procedure and the slightly 
weaker notion of Watrous' quantum rewinding lemma, as stated below, applies. 

Lemma 3.2 (Quantum Rew^inding Lemma with small perturbations |Wat09j ) Let 

Q be the unitary (n,k)-quantum circuit and let R be the general quantum circuit describing 
the quantum rewinding procedure. Let po, q G (0, 1) and e G (0, ^) be real numbers such that 

1. \p — q\ < e 

2. pq{1 - Po) < q{l - q), and 

3. po<p 

for all n-qubit states {ip). Then there exists R of size 

^ / log{l/£)size{Q) 
V Po(l-Po) 

such that, for every n-qubit state {ip), the output p{ip) of R satisfies 

{'j>good{i^)\pW\4>good{'tp)) > 1 - e' 

where e' = 16e-^^j-^^^^ . 

Intuitively, Requirement (1.) allows for small perturbation between the actual probability 
p and the ideal probability q. Thus, £ can be understood as the advantage of the dishonest 
party. It follows that if £ is negligible, we can argue that p is close to q and therefore, 
close to independent of the auxiliary input. Probability p^ in Requirement (3.) denotes the 
lower bound on the actual probability, for which the procedure guarantees correctness and 
terminates in poly-time. Instead of using p in circuit i2, we use pq. Furthermore, Q is 



replaced by U with U = VQ. Lemma 3.2 reflects these replacements. On a very intuitive 



level, the general input state |^) is analyzed in more detail, i.e. jV') = Yld=i Q^ilV'j) leading to 



bgoodii^)) = ^(^i\l^^p^\4'good{i^i)) , 



i=l 



40 



CHAPTER 3. QUANTUM TOOLS 



and similar for \(j)badi''P)) ■ This more detailed description allows that in any position, the 
probability is only near- independent of the input. The slight variations must then be ad- 
dressed by an operator V, such that U = VQ is close to Q but satisfies the exact case of 
rewinding. In other words, applying U on the perturbed input state gives the ideal outcome 

U^W O')^ = VQ\0)G\^9Oodmy + x/r^|l)Gl4ad(V'))y • 

Transformation V can therewith be understood as a correction. The bound in Require- 
ment (2.) follows from proof details which will not be addressed here. Finally, note that the 
bounds are not necessarily tight. Important for our proof is, however, that all operations can 
be performed by polynomial-size circuits, and thus, the simulator has polynomial size (in 
the worst case). Furthermore, for negligible e, it follows that the "closeness" of output p{ip) 
with good state |(/>good(V')) is slightly reduced, but quantum rewinding remains possible and 
the output p{ip) of R has still square-fidelity close to 1 with state \4>good{''P)) of a successful 
simulation. 



3.6 Definition of Security 

We will now define security for our two-party protocols, along the lines informally described 



in Section 2.2 To this end, we will work in the framework put forward by Fehr and Schaffner 
in FS09 . There, they propose general definitions for correctness and security for any quan- 
tum protocol that implements a classical non-reactive two-party functionality, meaning that 
in- and output must be classical. We stress that the framework also allows functionalities 
which behave differently in case of a dishonest player. They then show that such a quantum 
protocol, complying with the framework, composes sequentially in a classical environment, 
or in other words, within an outer classical protocol. Their security definitions are phrased 
in simple information-theoretic conditions, depending on the functionality, which implies 
strong simulation-based security. For the sake of simplicity, the framework does not assume 
additional entities such as e.g. an environment, without of course compromising correctness 
in the given setting. 

Throughout this work, we are interested in quantum and classical protocols that im- 
plement classical functionalities. As already mentioned, such primitives are often used as 
building blocks in more complicated classical (multi-party) protocols which implement more 
advanced tasks. Therefore, it can be justified in Part|ll]to restrict the focus to such quantum 
protocols that run in a classical environment and have classical in- and outputs. Furthermore, 
although the framework was originally proposed for quantum protocols that compose in a 
classical environment, we adapt it here for classical protocols against quantum attacks, com- 
posing equally well when imposing the suggesting restriction regarding the in- and outputs. 



Thus, we will use it also in Part III for defining security of our classical protocols. 

Although various other security and composition frameworks have been proposed (such 
BM04 , Unr04 Unr 10 , WW08] ) , we consider the security level achieved in this framework 



as 



as a reasonable balance between weak demands and yet meaningful security. Furthermore, 
its structure is as simple and clear as possible and compliance with the definitions gives us 
sequential composition. Towards a general composition, we must, of course, extend the basic 



protocols as shown in Sections 5.5 and 8.3 
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We will now introduce the framework more formally for a general functionality. We will 
use information-theoretic definitions in our notions of unconditional security as investigated 
in FS09 . In addition, we will also show that computational security can be defined similarly, 



although with some modifications. 



3.6.1 Correctness 

A protocol n consists of an infinite family of interactive quantum circuits for players Alice 
and Bob, indexed by the security parameter. For instance, in our quantum protocols this 
security parameter m corresponds to the number of qubits transmitted in the first phase. 
However, to ease notation, we often leave the dependence on the security parameter implicit. 
Since we assume the common input state puv to be classical, i.e., 

Puv = ^Puv{u,v)\u){u\ ^ \v){v\ , 

u,v 

for some probability distribution PjjVy we understand U,V as random input variables. The 
same holds for the classical output state pxY with output X, Y. The input-output behavior 
of the protocol is uniquely determined by Pxy\uVi write Il{U,V) = {X,Y). Then, 

a classical non-reactive two-party ideal functionality J- is given by a conditional probability 
distribution Pj^(u,V)\uv with T{U,V) denoting the ideal-world execution, where the players 
forward their inputs U,V to J-' and output whatever they obtain from J^. The definition of 
correctness of a protocol is now straightforward. 

Definition 3.4 (Correctness) A protocol Il(U, V) = {X, Y) correctly implements an ideal 
classical functionality T, if for every distribution of the input values U and V, the resulting 
common output satisfies 

{U,V,X,Y)^{U,V,T{U,V)). 



3.6.2 Information-Theoretic Security 



We define information-theoretic security based on [FS09 Proposition 4.3]. Note that in the 



following, we simplify the joint output representation (compared to FS09| ) in that we denote 



the output in the real world by out^Q (which is equivalent to I^a,bPuv), and the output in 
the ideal world by out-^^ (equivalent to (/"^ b)puv)- 

Recall that U denotes honest Alice's classical input, and let Z and V denote dishonest 
Bob's classical and quantum information. Then, any input state puzv is restricted to be of 
form 

pu^z^v = X] ^uz{u, z)\u){u\ \z){z\ pI„ , 

u,z 

where it holds here that py, = pyf. This implies that Bob's quantum part V' is correlated 
with Alice's part only via his classical Z. 

Definition 3.5 (Unconditional security against dishonest Bob) A protocol H imple- 
ments an ideal classical functionality unconditionally securely against dishonest Bob, if for 
any real-world adversary B' , there exists an ideal-world adversary B' such that, for any input 
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Figure 3.1: Real World vs. Ideal World SchlO . 



state with puzv = Pu^z^v'> holds that the outputs in the real and the ideal world are 
statistically indistinguishable, i.e., 



out 



n 



out 



^A,B' - "---A.B' 

For completeness, we state these output states explicitly, i.e., 



PuxzY' and out 



T 

A,B' 



which shows that Bob's possibilities in the ideal world are limited. He can produce some 
classical input V for T from his quantum input state V ^ and then he can obtain a quantum 
state Y' by locally processing V and possibly J-"'s classical reply Y . This description is also 



depicted in Figure 3.1 



Analogously, we can define unconditional security for honest Bob against dishonest Alice. 
In this case, we assume a classical Z and a quantum state V as dishonest Alice's input and 
a classical input V of honest Bob. 

Definition 3.6 (Unconditional security against dishonest Alice) A protocol 11 im- 
plements an ideal classical functionality T unconditionally securely against dishonest Alice, 
if for any real-world adversary A', there exists an ideal-world adversary A' such that, for any 
input state with pu'zv = Pu'^z^V! holds that the outputs in the real and the ideal world 
are statistically indistinguishable, i.e., 

ont^, B ^ out^,^^ . 

Note that in the definitions above, we do not require the running time of ideal- world 
adversaries to be polynomial whenever the real-life adversaries run in polynomial time. This 
way of defining unconditional security can lead to the (unwanted) effect that unconditional 
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security does not necessarily imply computational security. However, as mentioned before, 
by extending our basic constructions we can achieve efficient ideal-life adversaries. 

Intuitively, the composition theorem below states that if quantum protocols vri • • • vr^ 
securely implement ideal functionalities T\---Ti^ then a protocol Y7^^""^i is essentially as 
secure as a classical hybrid protocol S"^!" "^* with sequential calls to J-i ■ ■ ■ J-£. Note that 
for the hybrid protocol to be classical, we mean that it has classical in- and output (for 
the honest players), but also that all communication between the parties is classical The 
above facts imply that such protocols compose sequentially. Below, we state (a simplified 
variant of) the theorem in [FS09 . We omit its proof here but note that it proceeds along 



similar lines as the proof of Theorem 3.3, translating sequential composition to the case of 
computational security. 

Theorem 3.2 (Composition Theorem I |FS09| ) Let S-^^'"-^* be a classical hybrid pro- 
tocol which makes at most k calls to Ti - ■ ■ Ti, and for every i £ {1, . . . ,i}, let protocol tti be 
an e -secure implementation of Ti against 21 and !B. Then the output ofT,^^'"^^ is at distance 
at most 0{ke) to the output produced by S-^i'"-^*. 

We want to explicitly state here that if the hybrid protocol is secure, then so is the real- 
life protocol, and as such it could itself be use as a sub-protocol in yet another classical outer 
protocol. 



Corollary 3.1 If T.^'-^i is a 6-secure implementation of Q against 21 and 5S, and i/ vr, 
an e-secure implementation of against 21 and OS for every i E {1, ...,£}, then S'^i'"'^'' it 
0{5 -\- £)-secure implementation of Q. 



3.6.3 Computational Security 

One can define security against a computationally bounded dishonest Bob in the CRS-model 
analogously to information-theoretic security, with the two differences that the input given to 
the parties has to be sampled by an efficient quantum algorithm and that the output states 



of Definition 3.5 should be computationally indistinguishable. Recall that in the CRS-model, 
all participants in the real world have access to a classical public common reference string cj, 
which is chosen before any interaction starts, according to a distribution only depending on 
the security parameter. On the other hand, the participants in the ideal-world execution 
interacting only with the ideal functionality, do not make use of string oo. Hence, 

an ideal-world adversary B' that operates by simulating a real-world adversary B' is free to 
choose Lo in any way he wishes. 

In order to define computational security against a dishonest Bob in the CRS-model, we 
consider a polynomial-size quantum circuit, called input sampler, which takes as input the 
security parameter and the common reference string uj (chosen according to its distribution) 
and which produces the input state puzv- Again, U , Z, and V denote Alice's classical, Bob's 



^We want to stress that a hybrid protocol is a protocol that makes sequential calls to ideal functionalities. 
This term should not be confused with the notion of hybrid security in Chapter [5j which refers to quantum 
protocols providing twofold security in case of an adversary who is either bounded in quantum storage or 
bounded in quantum-computational power. 
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classical, and Bob's quantum information, respectively, and we require from the input sampler 
that puzv = Pu-^z-^v- In the following, we let ^Spoiy be the family of all polynomial-time 
strategies for dishonest Bob. 

Definition 3.7 (Computational security against dishonest Bob) A protocol 11 im- 
plements an ideal classical functionality T computationally securely against dishonest Bob, 
if for any real-world adversary B' G 5Spoiy, who has access to the common reference string 
oj, there exists an ideal-world adversary B' G 5Spoiy, not using uj, such that, for any efficient 
input sampler as described above, it holds that the outputs in the real and the ideal world are 
quantum- computationally indistinguishable, i.e., 

out^ Q, ^ ontjg, . 

Protocols fulfilling the definition above provide sequential composition in a naturally 
weaker but otherwise similar notion as unconditionally secure protocols. We can therefore 
adapt the original composition theorem to the case of computational security. For complete- 



ness, we will include its proof as given in DFL"'"09 



Consider a dishonest B' and the common state PUjV ^^y point during the execution of 
the hybrid protocol when a call to functionality J-i is made. The requirement for the oracle 
protocol to be classical is now expressed in that there exists a classical Zj — to be understood 
as consisting of B"s classical communication with A and with the J-i''s up to this point — 
such that given Zj, Bob's quantum state V- is not entangled with Alice' classical input and 
auxiliary information: Pu-ZjV — PUj^Zj^r^V ■ Furthermore, we require that we may assume 
Zj to be part of Vj in the sense that for any B' there exists B" such that Zj is part of Vj. 
This definition is motivated by the observation that if Bob can communicate only classically 
with Alice, then he can entangle his quantum state with information on Alice's side only by 
means of the classical communication. 

We also consider the protocol we obtain by replacing the ideal functionalities by quantum 
two-party sub-protocols vri • • • tt^ with classical in- and outputs for the honest parties, i.e., 
whenever Y,-^^'"-^^ instructs A and B to execute J-i, they instead execute Tr^ and take the 
resulting outputs. We then write for the real quantum protocol we obtain this way. 

Recall that we require from the input sampler that pjjzv = Pc/oZ-h-V) i-e-, that V 
is correlated with Alice's part only via the classical Z. When considering classical hybrid 
protocols in the real world, where the calls are replaced with quantum protocols 

using a common reference string, it is important that every real protocol vrj uses a separate 
instance (or part) of the common reference string which we denote by Wj. 

Theorem 3.3 (Composition Theorem II) Let Y,^'^'"^^ be a classical two-party hybrid 
protocol which makes at most k = poly{n) calls to the functionalities, and for every i £ 
{!,...,£}, let protocol vrj be a computationally secure implementation of against 5Spoiy. 

Then, for every real-world adversary B' G ^poly who accesses the common reference string 
LO = uJi, . . . ,u}k there exists an ideal-world adversary B' G 5Spoiy who does not use lo such that 
for every efficient input sampler, it holds that the outputs in the real and the ideal world are 
quantum- computationally indistinguishable, i.e.. 



A,B' 



outf^ g/ « out 
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Note that we do not specify what it means for the hybrid protocol to be secure. In fact, 



Theorem 3.3 guarantees that whatever the hybrid protocol achieves, an indistinguishable 



output is produced by the real-life protocol with the functionality calls replaced by protocols. 



Of course, if the hybrid protocol is secure in the sense of Definition 3.7, then so is the real-life 
protocol. 

Corollary 3.2 If T,^^-^^ is a computationally secure implementation of Q against ^poiy; 
and if ni is a computationally secure implementation of Ti against 5Spoiy for every i £ 
{!,...,£}, then ^,'^'^""^1 with at most k = poly{n) oracle calls is a computationally secure 
implementation of Q against ^poiy • 

Proof. 



We prove the claim in Theorem 3.3 by induction on k. If no calls are made, we can set 
B' := B' and the claim holds trivially. Consider now a protocol Yi^^'^^i with at most A: > 
oracle calls. For simplicity, we assume that the number of oracle calls equals k, otherwise we 
instruct the players to make some "dummy calls". Let PUkZkVl be the common state right 
before the A;-th, and thus, last call to one of the sub-protocols vri, . . . , vr^ in the execution of 
the real protocol . To simplify notation in the rest of the proof, we omit the index 



k and write Pfjzv' instead (see Figure 3.2). We know from the induction hypothesis for 
k — 1 that there exists an ideal-world adversary B' G ^poiy not using the common reference 

q 

string such that pjjzv' ~ '^uzv' where o'^zv' ^^e common state right before the A:-th 
call to a functionality in the execution of the hybrid protocol J]-^^'"-^^ with input puzv- As 
described, U and Z, V' are to be understood as follows. U denotes A's (respectively A's) 
input to the sub-protocol (respectively functionality) that is to be called next. Z collects the 
classical communication dictated by Yi^^—'^t as well as B"s classical inputs to and outputs 
from the previous calls and V' denotes the dishonest player's current quantum state. Note 
that the existence of Z is guaranteed by our formalization of classical hybrid protocols and 

Let ijJi be the common reference string used in protocol vrj. For simplicity, we assume 
that the index i, which determines the sub-protocol vrj (or functionality Ti) to be called next, 
is fixed and we just write vr an d J- for vTj and J-i, respectively. 

of computational security that there exists B' G ^poiy 



It follows from Definition 



3.7 



(independent of the input state) not using such that the corresponding output states 
^XZY' '^XZY' produced by g, (as prescribed by the oracle protocol) and tta^b' run on 
the state crjjzv' = C[/oZ-H>i/' quantum-computationally indistinguishable. 
The induction step is then completed with 

OUtf^B' = PXZY' = {'^A,B' ) PuZV' ^ (■^A.B'j f^UZV' = ^^XZY' ~ ^XZY' = °^*a,B' ' 

where (vta^b') Px should be understood as running protocol it a,b' with input px- 
Note that the strategy of B' does not depend on the state o'jjzv'^ hence, the overall 
ideal-world adversary B' does not depend on the input state either. Furthermore, the con- 
catenation of two polynomially bounded players is polynomially bounded, i.e. B' G 5Spoiy. 




Figure 3.2: Steps of the Composability Proof 
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Quantum Cryptography 
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Introduction 



In this part of the thesis, we present our research in quantum cryptography, which offers 
a secure alternative to some conventional cryptographic schemes that are rendered insecure 
by the potential emerge of large-scale quantum-computing. We also want to mention an ac- 
tual implementation of quantum protocols within the research project MOBISEQ ("Mobile 
Quantum Security"), which is a joint project of the cryptology group from the computer 
science department and the iNano center at the physics department, both at Aarhus Uni- 
versity. The main goal of MOBISEQ is the development of technology for secure quantum 
communication that can compete with conventional methods on practicality, velocity and 
security and that can be integrated into existing infrastructures. However, at the time of 
writing, the implementation is still "under construction" . 

In the next sections, we will introduce the concept of mixed (classical) commitment 
schemes, since they are an important underlying construction in our quantum protocols. 

In Chapter [5| we discuss our main result on improving the security of quantum protocols 
via a commit&open step, based on these mixed commitments. We first introduce the setting 
and then propose a general compiler therein. We further show that the construction remains 
secure in the case of noisy communication. We then proceed with combining the compilation 
technique with the bounded-quantum-storage model. Last, we show sequential composability 
and further use the extended commitment construction, discussed in Section 4.1.4, towards 
a more general composition. 

In Chapter [6j we discuss that the compiler can be applied to known protocols and show 
two example applications, with the result of achieving hybrid-secure protocols. 



4.1 Mixed Commitments 



Commitments were introduced on an intuitive level in Section 2.4.1 and capture the process 
of a party being committed to his message by the binding characteristic without immediately 
revealing it to the other party due to the hiding aspect. 



4.1.1 Motivation 

Our compiler construction in the following chapters requires a classical yet quantum-secure 
commitment from B to A. Since we aim at preserving the unconditional security against 
A in the outer quantum protocols, the commitment can only be quantum-computationally 
binding. As described in Section [3.5[ the standard reduction from the computational security 
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of the protocol to the computational binding property of the commitment would require 
rewinding B', which is not possible in the assumed protocol scenario. 

Therefore, we construct keyed commitment schemes, which are special in that they are 
mixed commitments or dual-mode commitments^ Generally speaking, the notion of mixed 
commitments requires some trapdoor information, related to the common reference string 
and given to the simulator in the ideal world. This trapdoor provides the possibility for 
extracting information out of the commitments, which finally allows us to circumvent the 



necessity of rewinding B'. We will discuss this in detail in Section 4.1.2 Additionally, we 
require that the basic mathematical assumption, which guarantees the hiding and binding 
properties of the commitments, withstands quantum attacks. We will propose an actual 
instantiation in Section [4.1.31 

4.1.2 Idea 

Recall that a keyed bit or string commitment C = commit {m,r) takes as input a mes- 
sage m and some randomness r of size polynomial in the security parameter, as well as a 
public key pk. The message m can be a single bit b for the implementation of bit commit- 
ments or, in order to achieve string commitments, a bit-string m = bo, . . . ,bs- In order to 
open the commitment, message m and random variable r are sent in plain and the receiver 
therewith checks the correctness of C. Hiding is typically formalized by the requirement 
(p/c, commit pfc (mi, ri) ) ~ (p/c, commit (m2, r2) ) with different fiavors of indistinguisha- 
bility, while binding prohibits that there exist C,mi,ri,m2,r2, such that mi / m2, but 
commit pk (mi, ri) = C = commit pk (m2, ■ 

We construct our commitments in the CRS-model such that they provide dual modes 
depending on the public key. In more detail, let commitK = (commit, t/n, ^Bj xtr) denote a 
(keyed) mixed commitment scheme. The commitment key pk is generated by one of the 
two possible key-generation algorithms, Gn or Q^- Generator takes as input the security 
parameter k and generates a key pair {pk, sk) ^ Qb, where pk G {0, 1}'' is a public key and 
sk is the corresponding secret key. xtr is a poly-time extraction algorithm that takes sk 
and C as input and produces m as output, i.e., xtTskiC) = xtr^fc (commit (m, r) ) = m, 
which must hold for all pairs {pk, sk) generated by Qb and for all values m, r. In other 
words, the secret key sk allows to efficiently extract m from C, and as such the commitment 
is unconditionally binding. We often denote this type of key therefore by pkB. For a key 
pfc ^H) the commitment scheme is unconditionally hiding (and we often refer to this type 
as pkH). Furthermore, we need the unconditionally binding key pkB and the unconditionally 
hiding key pkH to be computationally indistinguishable even against quantum attacks, i.e., 
pkB pkH. 

We want to stress that we can even weaken the assumption on the hiding key in that we 
merely require that there exists a public-key encryption scheme where a random public key 
looks pseudo-random to poly-time quantum circuits. Thus, commit does not require actual 
unconditionally hiding keys, but we can use uniformly random strings from {0, l}** as such. 



^The not ions are interchangeable. The term of mixed commitments was introduced in DN02 

In 



DFL+09 



the name dual-mode commitments was used to relate to the notion of a dual-mode crypto- 



system PVW08 , which is similar in spirit, but slightly more involved. Last we want to mention that our 



schemes are similar to the commitment schemes used in DFS04 but with extensions 
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This is feasible in our proposed construction, sketched below, and still provides unconditional 
hiding, except with negligible probability. This fact also ensures that most keys of a specific 
domain are in that sense unconditionally hiding keys. 

Finally, to avoid rewinding we use the following proof method: In the real- world protocol, 
B uses the unconditionally hiding key pkH to maintain unconditional security against any 
unbounded A. To argue security against a computationally bounded B', an information- 
theoretic argument involving the simulator B' is given to prove that B' cannot cheat with 
the unconditionally binding key pkB. Security in real life then follows from the quantum- 
computational indistinguishability of pkH and pkB. 



4.1.3 Instantiations 

As a candidate for instantiating our commitment construction, we propose the lattice-based 
public-key encryption scheme of Regev |Reg05| . The crypto-system is based on the (con- 
jectured) hardness of the learning with error (LWE) problem, which can be reduced from 
worst-case hardness of the approximation of the shortest vector problem (in its decision 
version). Thus, breaking Regev's crypto-system implies an efficient algorithm for approxi- 
mating the lattice problem in the worst-case, which is assumed to be hard even with quantum 
computing power. 

In more detail, the crypto-system uses dimension n as security parameter and is para- 
metrized by two integers m and p, where p is a prime bounded hy n? < p < 2n^, and a 
probability distribution on Zp. A regular public key (in Z^^") for Regev's scheme is proven 
to be quantum-computationally indistinguishable from the case where a public key is chosen 
from the uniform distribution, and therewith, independently from a secret key. In this case. 



the ciphertext carries essentially no information about the message Reg05 Lemma 5.4]. This 
proof of semantic security for Regev's crypto-system is in fact the property we require for 
our commitment, as the public key of a regular key pair can be used as the unconditionally 
binding commitment key pkB in the ideal-world simulation. Then, for the real protocol, an 
unconditionally hiding commitment key pkH can simply be constructed by uniformly choosing 
numbers in Z^^™. Both public keys will be of size O(n^), and the encryption process involves 
only modular additions, which makes its use simple and efficientj^ 

For simplicity and efficiency, we use a common reference string, which allows us to use 
Regev's scheme in a simple way and, since it is relatively efficient, we get a protocol that 
is potentially practical. More specifically, in the CRS-model we assume the key pkB for the 
commitment scheme, generated by to be contained in the common reference string. We 



want to stress however that we show in Part III Section 10.3 how to avoid the CRS-model at 



the cost of a non-constant round construction, where we let the parties generate a common 
reference string jointly by coin-ffipping. 

For the compiler construction here, we will use Regev's original version, as we require 
bit commitments. However, a multi-bit variant of Regev's scheme is given in the full version 



of IPVWOS . All requirements as described above are maintained in this more efficient 



variant, which improves the performance of Regev's scheme by essentia lly a factor of n, e.g. 



the scheme can encrypt n bits using 0{n) bits. We use later in Part III, Chapter^ that 



^The notation O(-) is similar to the asymptotic Landau notation O(-) but ignores logarithmic factors. 
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this implies that we can flip a A-bit string using 0(A) bits of communication when A is large 
enough. We also rely on this multi-bit version for our extended commitment construction, 



which we will describe in the next Section 4.1.4 and then use in Section 5.5.2, where we show 



how to achieve efficient simulation also against a dishonest A'. 
4.1.4 Extended Construction 

To achieve efficient simulation against both players, i.e. additional efficient simulation also 



against A' (in Section 5.5.2), we need to extend our commitments by yet another trapdoor, 
which provides the commitment with equivocability. Intuitively, this means that we now 
enable the simulator in the ideal world that it can construct commitments equivocally such 
that it can open them later to different bits. As we still need in addition the properties of 



the mixed commitment scheme of Section 4.1.2 in its multi-bit variant, we will build the new 



scheme around it, such that its trapdoor can still be used for extraction. 

The new extension is based on the idea of UC-commitments CFOl] and requires a S- 



protocol for a (quantumly) hard relation TZ = {{xjw)}, i.e. an honest-verifier perfect zero- 



knowledge proof of knowledge with instance x and witness w (see also Section 2.4.5). Con 



versations are of form (a^, c^, z^) , where the prover sends a^, the verifier challenges him with 



bit c^, and the prover replies with z^. For practical candidates of TZ, see e.g. DFS04 . By 
special soundness, it holds that from two accepting conversations with different challenges, 
i.e. (a^,0,Zo) and (a^, l,z^), the simulator can extract w such that {x,w) G TZ. 

In real life, the common reference string consists of commitment key pkH and instance 
X. To commit to a bit b, the committer B first runs the honest-verifier simulator to get, 
on input x, a conversation (a^,6, z^). Then, he commits by sending (ai;,Co,Ci), where 
Cfe = commit (z^b, rf,) and Ci_6 = commit (0^', ri_b) with randomness rb,ri_b and 
z' = |z^|. To open a commitment, B reveals b and opens Cb by sending z^h, r. The receiver 
checks that (a^,6, zj;) is a valid conversation and that was correctly opened. Assuming 
that the S-protocol is honest- verifier perfect zero-knowledge and pkH provides unconditional 
hiding, the new commitment construction is again unconditionally hiding. 

In the ideal world, we assume that the simulator (simulating against A') knows w such 
that {x,w) £ TZ (and public key pkH). Therewith, it can compute two valid conversations 
(a^,0,z^o) and (a^,l,z^i) and set Co = commit (z^Oi ''o) and Ci = commit p^H (z^i, ri) . 
This enables to open both ways, assuming the knowledge of the trapdoor w. 

We maintain extraction, since in the respective simulation against B', the public key is 
chosen in a different but indistinguishable way, namely as (x,pkB), where pkB is the binding 
commitment key, generated together with sk. Now, given a commitment (a,Co,Ci), the 
simulator can decrypt Co,Ci to determine which of them contains a valid reply z^f, of the 
S-protocol. The only way this could fail is in the case where both Cq and Ci contain valid 
replies, which would imply that the committer B' could compute a valid w. For a polynomial- 
time bounded committer and a (quantumly) hard relation TZ, however, this can occur only 
with negligible probability. 
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Improved Security for 
Quantum Protocols 

Here, we propose a general compiler for improving the security of two-party quantum proto- 
cols, implementing different cryptographic tasks and running between mutually distrusting 
players Alice and Bob. The compiler extends security against an "almost honest" adversary 
by security against an arbitrary computationally bounded (quantum) adversary. Further- 
more, we can achieve hybrid security such that certain protocols can only be broken by an 
adversary who has large quantum memory and large computing power. The results in this 
chapter are joint work with Damgard, Fehr, Salvail and Schaffner, and appeared in DFL+09]. 



5.1 Motivation 



Our proposed compiler applies to a large class of quantum protocols, namely to so-called 
BB84-type protocols that follow a particular but very typical construction design for quantum 
communication. Our main result states that if the original protocol is secure against a so- 
called benign Bob who is only required to treat the qubits "almost honestly" but can deviate 
arbitrarily afterwards, then the compiled protocol is secure against a computationally bounded 
quantum Bob. The unconditional security against Alice that BB84-type protocols usually 
achieve is preserved during compilation and it requires only a constant increase of transmitted 
qubits and classical messages. 

In other words, with our compiler, one can build a protocol for any two-party functionality 
by designing a protocol that only has to be secure if Bob is benign, which is a relatively weak 
assumption. On the other hand, many protocols following the BB84-type pattern (at least 
after some minor changes) have been proposed, e.g. for Oblivious Transfer, Commitment, and 
Password-Based Identification ICK88l|DFSS08l|DFR+07l|DFSS07|. Typically, their proofs go 



through under our assumption. For instance, our compiler can easily be applied to existing 
quantum protocols implementing ID and OT, which we will show as example applications in 
Chapter [6| 

In more detail, the compiler incorporates the mixed commitment scheme, discussed in 
Section 4.1, into the basic protocols with Bob as committer. Recall that we need such 
a mixed commitment to preserve the unconditional security against Alice that BB84-type 
protocols typically achieve but cannot apply the typical reduction from the computational 
security of the protocol to the computational binding property of the commitment, due to 
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the restrictions on rewinding in the quantum world (see Section 3.5). The idea of introduc- 
ing a (plain) commitment in quantum protocols has already been sketched in other works, 
for instance, in CK88 ,BBCS91 . Furthermore, there are partial results, investigating this 



scenario, e.g. |Yao95 , CDMS04 , May96 ] . We will go into more details of preceding work in 
Section 16.11 

Previously, it was very unclear what exactly such a Commit&Open-step would achieve in 
the quantum world. The intuition is clearly that if Bob passes the test, he must have mea- 
sured most of his qubits, also in the remaining untested subset. But — to our best knowledge — 
it was never formally proven that the classical intuition also holds for a quantum Bob. We 
now give a full characterization of Commit&Open in our quantum setting, namely that it 
forces Bob to be benign, for which we propose a formal definition and which might be of 
independent interest. These aspects are covered in Section |5.2[ In this context, we want 
to mention the follow-up work in BFIO . They phrase the Commit&Dpen-approach more 



clearly as the quantum version of classical sampling, and additionally, investigate sampling 
in quantum settings more generally. 

In Section 5.3 we generalize our result to noisy quantum communication. Furthermore, 
security in the bounded-quantum-storage model that assumes the adversary's quantum stor- 
age to be of limited size, implies benign security. Therefore by compilation of such proto- 
cols, we can achieve hybrid security, which means that the adversary now needs both large 
quantum memory and large quantum computing power to break these new protocols. The 
preservation of BQSM-security allows us to get security properties that classical protocols 
cannot achieve, if the assumption on the limited quantum memory holds — which definitely 
is the case with current state-of-the-art (Section 5.4). However, if the assumption should fail 
and the adversary could perfectly store all qubits sent, the known protocols can be easily 
broken. Thus, by applying our compiler, we obtain another security layer that equips such 
protocols with additional quantum-computational security. Last, we sketch that the com- 
piled protocols in their basic form remain sequentially composable. Moreover, by using the 
extended commitment construction of Section 4.1.4[ we achieve efficient simulations on both 



sides, and therewith, a more general composition. This result is discussed in Section 5.5 



5.2 Introducing Commit&Open 

We now discuss our compiler construction in detail, starting from describing the form of 
BB84-type protocols and formalizing our notion of benignity. Then, we show the transfor- 
mation from benign security towards computational security and conclude with its proof. 

5.2.1 Initial situation 

We consider quantum two-party protocols that follow a particular but very typical construc- 
tion design. These protocols consist of two phases, called preparation and post-processing 
phase. We call such a protocol a BBS^-type protocol, as they have the same structure and 
the same encoding scheme as the first (complete) quantum protocol by Bennett and Brassard 
in 1984 for quantum key distribution |BB84]. However, we want to stress again that we are 
interested in protocols for cryptographic tasks other than key distribution, and therewith. 



5.2. INTRODUCING COMMIT&OPEN 
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Protocol n 
Preparation: 

A chooses x £r {0,1}"" and 9 G/j {+, x}" and sends \x)g to B, and B chooses 
£r {0, 1}" and obtains x S {0, 1}" by measuring in bases 9. 

Post-processing: 

Arbitrary classical communication and classical local computations. 



Figure 5.1: The Generic BB84-type Quantum Protocol 11. 



we also consider the case of dishonest players. A generic BB84-type protocol 11 is specified 



in Figure 5.1 



In the preparation phase, Alice transmits n random BB84-qubits to Bob. More specifi- 
cally, Alice chooses a random bit string x = xi, x„ and a random basis-string 9 = 9i, ...,6n 
from a set of two conjugate bases, encodes her qubits accordingly, i.e., Xi is encoded in the 
state of the ith particle using basis 9i, and sends them to Bob. Bob chooses a basis-string 
= 9i, ..,6n and measures the ith particle in basis 9i. If Bob plays honestly, he learns Xi 
whenever the bases match, i.e. 0i = 9i. Otherwise, he gets a random independent result. 
The second phase of the protocol, the post-processing, consist of arbitrary classical messages 
and local computations, depending on the task at hand. 

However, the fact that all BB84-type protocols have in common is that the classical 
post-processing typically relies on Bob's subsets of correct and random outcomes, or in 
other words, on the fact that a dishonest Bob has high uncertainty about a crucial piece of 
information. Thus, BB84-type protocols — in their basic form — may be broken by a dishonest 
Bob, who does not measure the qubits immediately. This is due to the fact that Alice typically 
reveals ^ at a later stage so that Bob knows the correct subset. However, a dishonest Bob 
could measure all stored qubits in matching bases = 9, and thus, learn more information 
than he was supposed to. 

This aspect is captured in our definition of security against a benign Bob, or more precisely 
a "benignly dishonest" Bob, who treats the qubits "almost honestly" in the preparation phase 
but can deviate arbitrarily otherwise. Note that, in contrast to Bob's situation, BB84-type 
protocols typically achieve unconditional security against cheating by Alice in their default 
form. On a very intuitive level, it should now be evident that we want to enforce Bob's 
measurement upon qubit reception before any further announcement by Alice. In the next 
section, we will make this definition more formal. 



5.2.2 Security against Benign Bob 

The following security definition captures information-theoretic security against a benign 
Bob. Recall that such a dishonest Bob is benign in that, in the preparation phase, he does 
not deviate (too much) from what he is supposed to do. In the post-processing phase, though, 
he may be arbitrarily dishonest. 

To make this description formal, we fix an arbitrary choice of 9 and an arbitrary value 
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for the classical information, which Bob may obtain as a result of the preparation phase 
(i.e. z = {0,x) in case Bob is actually honest). Let X denote the random variable describing 
the bit-string x, where we understand the distribution Px of X to be conditioned on the 
fixed choices for 6 and z. Furthermore, let pE be the state of Bob's quantum register E 
after the preparation phase. Note that, still with fixed 9 and z, pE is of the form pE = 
Ylx Px{x)p%, where p^ is the state of Bob's quantum register in case X takes on the value 
X. In general, the p^ may be mixed, but we can think of them as being reduced pure states 
with p^ = trji {\'ipER)i'^ER\) ^ suitable register R and pure states \ip%fj)- We then call 
the state per = ^x{x)\'4'er){'4'er\ ^ point-wise purification (with respect to X) of pE- 
Obviously, in case Bob is honest, Xi is fully random whenever 9i ^ 9i, and we have 

H^{X\j\X\j = x\j) = dH{9\i,9\i) , 

for every / C {1, . . . , n} and every x\j, where / denotes the complementary set. In that case. 
Bob does not store any non-trivial quantum state so that R is "empty" and 

Hq{per) = Hq{pe) = . 

A benign Bob B' is now specified to behave close-to-honestly in the preparation phase 
in that, after the preparation, he produces an auxiliary output 9. Given this output, we are 
in a certain sense close to the ideal situation where Bob really measured in basis 9 as far 
as the values of Hoo{X\i\X\j = x\j) and Hq{per) are concernedj^ Informally speaking, 
the following definition states (under Point (1.)) that there exists a string 9 of B"s mea- 
surement bases, such that the uncertainty about A's bit Xi is essentially 1 whenever 9i ^ 9i. 
Furthermore, B"s quantum storage is small. 

Definition 5.1 (Unconditional security for Alice against benign Bob) A BB84-type 
quantum protocol H securely implements T against a /3-benign B' for some parameter /5 > 0, 



if it securely implements J- according to Definition 3.5, with the following two modifications: 



1. The quantification is over all B' with the following property: After the preparation phase 
B' either aborts, or else produces an auxiliary output 9 G {+, x}". Moreover, the joint 
state of A and B' after 9 has been output is statistically indistinguishable from a state 
for which it holds that, for any fixed values for 9, 9 and z, for any subset / C {1, . . . , n}, 
and for any x\j, 

H^{X\i\X\j = x\j)>dH{9\i,9\i)-f3n and Hq{per) < , (5.1) 
where per is a point-wise purification of pE with respect to X. 

2. B' 's running time is polynomial in the running time of B'. 



^The reason why we consider the point-wise purification ol pE is to prevent Bob from artificiaUy blowing 
up Ho{peb.) by locally generating a large mixture or storing an unrelated mixed input state. 
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Protocol C"(n) : 
Preparation: 

A chooses x E/j {0, l}"* and 6 Gr {+, x}™' and sends \x)q to B. Then, B chooses 
G/j {0, 1}"* and obtains x £ {0, 1}™ by measuring |x)g in bases 9. 

Verification: 

1. B commits to 9 and x position-wise by Cj := commit {{9i,Xi),ri) with random- 
ness rj for i = 1, . . . , m. He sends the commitments to A. 

2. A sends a random test subset T C {1, . . . ,m} of size am. B opens Cj for ah 
i G T. A checks that the openings are correct and that Xi = xi whenever 
9i = 9i. If all tests are passed, A accepts. Otherwise, she rejects and aborts. 

3. The tested positions are discarded by both parties: A and B restrict x and 9, 
respectively 9 and x, to i £ T. 

Post-processing: 

As in n (with x, 0, x and 9 restricted to positions i £ T). 



Figure 5.2: The Compiled Protocol C°(n). 



5.2.3 Prom Benign to Computational Security 

We now show a generic compiler which transforms any BB84-type protocol into a new quan- 
tum protocol for the same task. The compiler achieves that, if the original protocol is un- 
conditionally secure against dishonest Alice and unconditionally secure against benign Bob, 
then the compiled protocol remains to be unconditionally secure against dishonest Alice but 
is now computationally secure against an arbitrary dishonest Bob. 

The idea behind the construction of the compiler is to incorporate a commitment scheme 
and force Bob to behave benignly by means of the Commit&Open-procedure. More precisely, 
we let Bob classically and position-wise commit to all his measurement bases and outcomes. 
Then Alice chooses a random test-subset of size am and checks by Bob's openings that 
the bits coincide whenever the bases match. If the test is passed, the post-processing is 



conducted on the remaining unopened positions. Otherwise, Alice aborts. Figure 5.2 shows 
the compilation of an arbitrary BB84-type protocol 11. The quantum communication is 
increased from n to m = n/(l — a) qubits, where < a < 1 is an additional parameter 
that can be arbitrarily chosen, and the compiled protocol requires three more rounds of 
interaction. 

Although apparently simple — intuition clearly suggests that if Bob passes the measure- 
ment test, he must have measured most of his qubits, also in the remaining untested subset — 
this Commit&Open approach is not trivial to rigorously prove for a quantum Bob. Moreover, 
in order to preserve unconditional security against dishonest Alice, the commitment scheme 
needs to be unconditionally hiding, and so can be at best quantum-computationally binding. 
For a plain commitment scheme however, the common reduction from computational secu- 
rity of the protocol C"(n) to the computational binding property of a commitment scheme 
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would require rewinding, but we do not know of any technique for our protocol structure 



(see also Section 3.5 for an elaborated discussion). 

Therefore, we use our mixed dual-mode commitment construction commit from Sec 
tion 



4.1 that allows use to circumvent the necessity of rewinding. Recall that commit is a 
keyed dual-mode commitment scheme with unconditionally hiding key pkH, generated by 
and unconditionally binding key pkB, generated by Gb along with a secret key sk that 
allows to efficiently extract m from commit {m, r) . Furthermore, we have that pkH ?a pkB. 
For simplicity and efficiency, we consider the CRS-model, and we assume the key pkB for 
the commitment scheme, generated according to Gb, to be contained in the common ref- 



erence string. We discuss in Section 10.3.2 how to avoid the CRS-model, at the cost of 



a non-constant round construction where the parties generate a common reference string 
jointly by coin- flipping. Such an approach allows us to implement the entire application 
without any set-up assumptions. With our dual-mode commitment scheme, we arrive at the 
following theorem, capturing the compilation of any protocol from benign security towards 
computational security. 

Theorem 5.1 (Compiler) Let H be a BB84-type protocol, unconditionally secure against 
dishonest Alice and against ^-benign Bob for some constant /? > 0. Consider the compiled 
protocol C"(n) for arbitrary a > 0, where the commitment scheme is instantiated by a dual- 
mode commitment scheme. Then, C"(n) is unconditionally secure against dishonest Alice 
and quantum- computationally secure against dishonest Bob in the CRS-model. 

Proof. We sometimes write Cp]jjj(n) for the compiled protocol C"(n) to stress that key 
pkH, produced by Q^, is used for the dual-mode commitment scheme. Analogously, we write 
CpkB(n) when key pkB, produced by Q^, is used instead. 

Correctness is trivially checked. In order to show unconditional security against A', first 
note that the unconditionally hiding property of the commitment ensures that A' does not 
learn any additional information. Furthermore, as the i deal- world adversary A' is not required 



to be poly-time bounded, according to Definition 3.6, A' can break the binding property of 
the commitment scheme, and thereby, perfectly simulate the behavior of honest B towards 
A' attacking C"(n). The issue of efficiency of the ideal- life adversaries will be addressed in 
Section 15.51 



we 



As for computational security against dishonest Bob, according to Definition 3.7 
need to prove that for every real- world adversary B' G 5Spoiy attacking (11) , there exists a 
suitable ideal-world adversary B' E 5Spoiy attacking T such that 



First, note that by the computational indistinguishability of pkH and pkB, 

out^ gp-* = ou-f^^Q^ ■* K, out^^^^^ \ (5.3) 

Then, we construct an adversary B^ G ^poly who attacks the unconditional security against 
benign Bob of protocol H, and which satisfies 

outte^^^ = out^^^, , (5.4) 
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Figure 5.3: Constructing an attacker B^ against 11 from an attacker B' against C"(n). 



where Aq honestly executes 11. We define B^ in the fohowing way. Consider the execution of 
C°(n) between A and B'. We spUt entity A into two players Ao and A, where we think of A 
as bei ng pl aced in between Ao and B'. The splitted entities of this proof are also depicted in 
Figure 



5.3 



Ao plays honest A's part of 11. A can be understood as completing Commit&Open. 
More specifically, A acts as follows. It receives n qubits from Ao and produces an/{l — a) 
random BB84-qubits of its own. Then, it interleaves the produced qubits randomly with 
the received qubits and sends the resulting ra = n/{l — a) qubits to B'. A then completes 
the verification step of C"(n) with B', asking him to have the commitments opened which 
correspond to A's produced qubits. If this results in accept, A lets Ao finish the protocol 
with B'. Note that pair (Ao, A) does exactly the same as A. 

However, we can also move the actions of A to B"s side, and define B^ as follows. B^ 
samples (pkB, sk) according to Q-q and executes 11 with A by locally running A and B', us- 
ing pkB as commitment key. If A accepts the verification, then B^ outputs 9 G {0, 1}" (as 
required from a benign Bob), obtained by decrypting the unopened commitments with the 



help of sk. Otherwise, B^ aborts at this point. It is now clear that Eq. (5.4) holds. Exactly 



the same computation takes place in both "experiments" , the only difference being that they 
are executed partly by different entities. 



The last step is to show that, for some B', 



out 



Ao,B'o 



out 



T 

A,B' 



(5.5) 



Eq. (5.5) actually claims that A' and B' successfully simulate Ao and B^ executing 11. This 



follows by assumption of benign security of 11, if we can show that B^ is /3-benign, according to 



Definition 5.1 , for any /? > 0. We show this in the following subsection, or more precisely, we 
prove that the joint state of Ao, B^ after the preparation phase is statistically indistinguishable 

We conclude the 



from a state p ideal which satisfies the bounds in Eq. (5.1 ) of Definition 



current proof by claiming that Theorem 5.1 follows from Eqs. (5.3) - (5.5) together. 



5.1 



5.2.4 Proof of Bounds on Entropy and Memory Size 

Recall that Ao executing 11 with B^ can equivalently be thought of as A executing Cpj.B(II) 
with B' (Figure 5.3). Furthermore, a joint state of A, B' is clearly also a joint state of Ao, B^. 
To show the existence of pideai for Ao, B'^ as promised above, it therefore suffices to show such 
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Protocol EPR-C^^^i^) : 
Preparation: 

A prepares m EPR-pairs :^(|00) + |11)) and sends the second qubit in each pair to 

B, while keeping the other qubits in register A = Ai - ■ ■ Am- B chooses 6 E/j {0,1}™ 
and obtains x G {0, 1}™ by measuring the received qubits in bases 9. 

Verification: 

1. B commits to 6 and x position-wise by q := commit {{0i, Xi),ri) with random- 
ness ri for i = 1, . . . ,m. He sends the commitments to A. 

2. A sends a random test subset T C {1, . . . ,m} of size am. B opens Ci for all 
i £ T. A chooses 9 £r {+, x}™, measures registers Ai with i £ T in basis 
9i to obtain Xi, and checks that the openings are correct and that Xi = Xi 
whenever 9i = 9i for i £ T. If all tests are passed, A accepts. Otherwise,, she 
rejects and aborts. 

3. A measures the remaining registers in basis 9\f to obtain x\f. The tested 
positions are discarded by both parties: A and B restrict x and 9, respectively 
9 and x, to i £ T. 

Post-processing: 

As in n (with x,9,x and 9 restricted to positions i £ T). 



Figure 5.4: The EPR-version oiC^-^^{U). 



a state for A, B'. In other words, we need to show that the execution of Cp^(Il) with honest 
A and arbitrarily dishonest B' — after verification — will be close to a state where Eq. (5.1) 
holds. 

To show this closeness, we consider an equivalent EPR-version, where Alice creates m 
EPR-pairs (|00) -|- sends one qubit in each pair to Bob, and keeps the others in 

register A. Then, Alice can measures her qubits only when needed, namely, she measures 
the qubits within T in Step ([2]) of the verification phase, and the remaining qubits at the 
end of the verification phase. With respect to the information Alice and Bob obtain, this 
EPR-version is identical to the original protocol C^y^-g{Il) based on single qubits, since the 
only difference is the point in time when Alice obtains certain information. 

We can further modify the procedure without affecting Eq. (5.1) as follows. Instead of 
measuring her qubits in T in /ler basis 9\t, Alice measures them in Bob's basis 9\t- However, 
she still verifies only whether Xi = Xi for those i £ T with 9i = 9i. Because the positions i £ T 
with 9i 7^ 9i are not used in the protocol at all, this change has no effect. As the commitment 
scheme is unconditionally binding, if key pkB is used, Bob's basis 9 is well defined by his 
commitments (although hard to compute), even if Bob is dishonest. The resulting scheme is 
given in Figure [574} 



We consider an execution of EPR-Cpj^g (H) in Figure 5.4 with an honest A and a dishonest 



B', and we fix 9 and x, determined by B"s commitments. Let \(Pae) G 'Ha^^'He be the state 
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of the joint system right before Step ([2|) of the verification phase. Since we are anyways 
interested in the point-wise purification of B"s state, we may indeed assume this state to be 
pure. If it is not pure, we purify it and carry the purifying register R afong with E. 
Clearly, if B' had honestly done his measurements then, for some \(Pe) £ T^e, 

\^ae) = \x)g (8) \^pe) ■ 

In this case, the quantum memory E would be empty, i.e., 

Ho{\^e){ve\) = , 

and the uncertainty about X , obtained when measuring in basis 6\f would be maximal 
in the sense that it would be exactly one bit in each position with non-matching bases, i.e., 

Hoo{X) = dniOlf, 9\f) . 

We now show that the verification phase enforces these properties for an arbitrary dis- 



honest B', at least approximately in the sense of Eq. (5.1). Recall that T C {1, . . . ,m} is 
random subject to |r| = am. Furthermore, for fixed 6 but randomly chosen 6, the subset 
T' = {i € T : 9i = 6i} is a random subset (of arbitrary size) of T. Let the random variable 
Test describe the choice of test = (T,T') as specified above, and consider the state pTestAE, 
consisting of the classical Test and the quantum state \^ae) with 

PTestAE = PTest IvAeXv'AeI = ^ PTest{test)\test){test\ (g) \^PAe){^Ae\ ■ 

test 

Recall that •) denotes the relative Hamming distance between two strings (see 



Eq. (3.22ft). The following lemma shows that, we are in state pTestAE close to an "ideal 



state" PTestAE, capturing a situation , where for any choice of T and T' and for any outcome 
x\t when measuring A\t in basis 6\t, the relative error rH{x\T',x\T') (the test estimate) 
gives an upper bound (which holds with probability 1) on the relative error rn one 
would obtain by measuring the remaining subsystems Ai with i S T in basis 9i. 

Lemma 5.1 For any e > 0, x G {0, 1}™ and 9 G {+, x}™, the state pTestAE is negligibly 
close (in m) to a state 

PTestAE = J2^Test{test)\test){test\ (g) I'PaeX'^aeI , 

test 

where for any test = (T, T'), we have 

X&Btest 

forBt^t = {x£{0,l}"'\rH{x\ rp,x\rp) < fHixlx/jXlx') + ^1 and arbitrary coefficients Oif^^^ G 
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We want to point out that the "ideal state" |<^^^) in the remaining subsystem after the 
test is a superposition of states with relative Hamming distance upper bounded by the test 
estimate (plus a small error e). This is the case, since we sum over all x restricted to the set 
specifying exactly that, and also note that B"s subsystem IV'f;) depends on x, which means, 
informally speaking, only such states survive. Yet in other words, we are indeed left with a 
superposition over all strings that have relative Hamming distance e-close to the estimate of 
the test. 

Proof. For any test, we let |(^^^) be the renormalized projection of \^ae) into the subspace 
span{|x)^ I X E Btest}®T~iE and we let \(p^^'^) be the renormalized projection of \'^ae) into the 
orthogonal complement, such that \(Pae) = etest|<^A£) + ^testW^E^) with etest = {'{'^eWae) 
and e^g^ = {'^^^'^\<f ae) ■ By construction, |(^^^) is of the form as required in the statement 
of the lemma. A basic property of the trace norm of pure states leads to 



5{Wae){vaeI W^Wa%\) = Jl- \{^'T^\^ae)\^ = ^l-\etest\^ 



'test I 



This last term corresponds to the square root of the probability, when given test, to observe 
a string x -Bfest when measuring subsystem A of \'-Pae) in basis 9. Furthermore, using 
elementary properties of the trace norm with Jensen's inequalit}|^ gives 

/ \ 2 

S{pTestAE,PTestAE)^ = f Prestitest) 6{\ipAE){'^AE\, {'^AeX'^AeI) 

^ test 

Prestitest) \eiJ ) < ^ Pxestitest) \ 

^test I ^ ) 

test ^ test 

where the last term is the probability to observe a string x i?fest when choosing test 
according to Pxest and measuring subsystem A of \'-Pae) in basis Q. This situation, though, is 
a classical sampling problem, for which it is well known that for any measurement outcome 
X, the probability (over the choice of test) that x Bf^t is negligible in m (see e.g. Hoe63| ). 
Thus, it follows that state pTestAE is negligibly close (in m) to state pxestAE- * 

Next, we need a preliminary lemma, stating that a pure state can be written as a "small 
superposition" of basis vectors. 

Lemma 5.2 Let \^pae) G 'Ha T~{-e be a state of the form \^pae) = J2ieJ ' '^here 

is a basis of Ha and J O I. Then, the following holds. 

1. Let pAE = Xliej l<^iPN)(^l ® W'e)^^'^e\' ^^'^ ^'"''^ outcome of measuring 
A of\ipAE), respectively of pae, in some basis {\w)}wew- Then, 

H^{W)>H^{W)-log\J\. 

2. The reduced density matrix pE = ^"^a{Wae){^ae\) has max-entropy 

Ho{pe) < log|J| . 



^In this context, we use Jensen's inequality with f{YliPi^-i) ^ positive Pi and real convex 

function /. 
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Note that when using Renner's definition for conditional min-entropy of |Ren05| under 
Point ([l|), one can actually show that Hoo{W\E) > Hoo{W\E) - log | J|. 

Proof. For Point ([l}), we may understand pAE as being in state with probability 

|aip, so that we easily see that 



2 



{w\i 



> 



wli) 



1 



{w 



ieJ 



ieJ 

2 



1 



1 

PT 



\J\' 



where the inequality is Cauchy-Schwart^ The claim follows (with Definition 3.1). 



For Point ([2j), note that pE = ti a{\(Pae){^ae\) = ^i^j 
immediately from the sub-additivity of the rank, i.e., 



Iv'eXVbI- "^^^ claim follows 



vankipE) < ^rank(|aip|(^*^X'/^B|) < = '"^l 

where we use that all \^PE)i'-P^E\ have rank (at most) 1. 

Now, combining the fact that it holds for the binary entropy h that \{y € {0, 1}" | dniy, y) < 
pn]\ < 2''(^)" for any y € {0, 1}" and < /i < ^ with Lemma 
of product states" , we can conclude the following corollary. 



5.2 



on "small superpositions 



Corollary 5.1 Let pTestAE be of the form as in Lemma 5.1 (for given e, x and 9). For any 
fixed test = {T,T') and for any fixed x\t G {0, l}"^™- with err := rjif (x|t', ijr') < ^, let \iPae) 
be the state to which \^ae) collapses when, for every i £ T, subsystem Ai is measured in 
basis 9i and Xi is observed, where we understand A in \iPae) to be restricted to the registers 
Ai with i & T. Finally, let ue = ^'ca{\'^ae){'4^ae\) o,nd let the random variable X describe the 
outcome when measuring the remaining n = {l — a)m subsystems of A in basis 9\f G { + , x}". 
Then, for any subset L C {1, . . . , n} and any x|/ 



Hoo{X\i\X\j = x\r) > dH{9\i,9\i) -h{err + e) 



n 



and 



Ho{aE) < h{err + e) 



n . 



Thus, the number of errors between the measured x\t' and the given x\x' gives us a bound 
on the min-entropy of the outcome, when measuring the remaining subsystems of A, and on 
the max-entropy of the state of subsystem E. 



Proof. To simplify notation, we write ■(? = 9\f and = 9\f. By definition of pTestAE, for any 
fixed values of e, x and 9, the state \tpAE) is of the form \^pAE) = J2yey '^y\y)s *^ \'^e)^ where 

^In this context, we use the inequahty phrased as Yli l^sPlj/iP ^ I X^i ^iyi\^ 

*Below, 6\i (and sunilarly 9\j) should be understood as first restricting the m-bit vector 6 to T, and then 
restricting the resulting n-bit vector to /: 6\i :— {0\f)\i- 
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y = {y G {0,1}" : dH{y,x\f) < (err + e)n}. Recall here that r//(y,x|^) = dniy, x\f)/n. 
Consider the corresponding mixture aAE = Yly^y IV'IjXV'^;! and define X as 

the random variable for the outcome when measuring register A of a^E in basis Note that 
Hoo{X) > 1?), since any state \y) when measured in basis ??, produces a random bit 



5.2 



for every position i with 7^ i? (see also the definition of th e mi n-entropy (Definition 3.1) 
and note that there exist 2'^^^'^''') possible outcomes). Lemma 



allows us to conclude that 



Ho{aE) < log 13^1 < log 2'^('^^'-+^)" = hierr + £)n , 



and similarly, 



H^{X) > H^{X) -\og\y\ > dni^,^) - Kerr + e)n . 



This proves the claim for / = {l,...,n}. For arbitrary / C {l,...,n} and x\i, we can 
consider the pure state, obtained by measuring the registers Ai with z I in basis 'di, when 
x\j is observed. This state is still a superposition of at most |3^| vectors and thus we can 



apply the exact same reasoning to obtain Eq. (5.1). 



The initial claim to be shown now follows by combining Lemma 5.1 and Corollary 5.1 



Indeed, the ideal state pideai we promised, for which (5.1) holds, is produced by putting A 



and B' in state pTestAE, defined in Lemma 5.1, and then running Steps pi) and pi) of the 



verification phase. This state is negligibly close to the real state, since by Lemma 5.1 



we 



were negligibly close to the real state before these operations. Corollary 5.1 ensures that the 



bounds for benign Bob as stated in the definition of benignity in Eq. (5.1) are satisfied. 



5.3 In the Presence of Noise 

In the description of the compiler and in its analysis in the previous section, we assume the 
quantum communication to be noise-free. Indeed, in the case of transmission errors, honest 
Alice is likely to reject an execution with honest Bob. However, it is straightforward to 
generalize the result to noisy quantum communication as follows. 

In Step ([2j) in the verification phase of C"(n), Alice rejects and aborts if the relative 
number of errors between Xi and Xi for i € T with 9i = 6i exceeds the error probability (j), 
induced by the noise in the quantum communication, by some small e' > 0. By Hoeffding's 
inequality [Hoe63 1 , this guarantees that honest Alice does not reject honest Bob, except with 
exponentially small probability. Furthermore, proving the security of this "noise-resistant" 
compiler goes along the exact same lines as for the original compiler. The only difference is 



that when applying Corollary 5.1, the parameter err has to be chosen as err = (j) + £\ such 



that the bounds in Eq. (5.1) hold for 

j3 = h{err + e) = h{(j) + e' + e) 



Thus, the claim of our compiler-theorem (Theorem 5.1) holds for any /3-benign Bob with 
/3 > h{(j)) (by choosing e,e' > small enough). 
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5.4 Bounded- Quantum- Storage Security 

In this section we show that our compiler preserves security in the bounded-quantum-storage 
model. Recall that in the BQSM, one of the players, in our case it is Bob, is assumed 
be able to store only a limited number of qubits beyond a certain point in the protocol. 



BQSM-secure OT- and ID-protocols are known [DFSS07 , but can be efficiently broken, if 



the memory bound does not hold. Therefore, we show here that applying the compiler 
produces protocols with better security, namely the adversary needs large quantum storage 
and large computing power to succeed. In Chapter [6j we will then discuss the compiled 
protocols with hybrid security in more detail. 

Consider a BB84-type protocol 11. For a constant < 7 < 1, let ^Zqsm(^) be the set 
of dishonest players B' that store only jn qubits after a certain point in 11, where n is the 
number of qubits sent initially. Protocol 11 is said to be unconditionally secure against such 



over all dishonest B' e 5S2ooM(n) 



a 7-BQSM Bob, if it satisfies Definition 3.5 with the restriction that the quantification is 

f ( 

' BQSM I 



Theorem 5.2 If protocol U is unconditionally secure against j-BQSM Bob, then the com- 
piled protocol C"' (H) is unconditionally secure against ^{l—a)-BQSM Boh, where < a < 1. 



Proof. The proof proceeds as the proof for our compiler-theorem (Theorem 5.1 ). We have a 
dishonest B' that attacks C"(n), and we construct a B^ that attacks the original protocol 11. 
The only difference here is that we let B^ generate the common reference string "correctly" 
as pkH sampled according to ^h- 

It follows by construction of B'^ that ont^ = out^^ g, . Furthermore, since Bj, requires 
the same amount of quantum storage as B' but communicates an a- fraction fewer qubits, it 
follows that B'„ G QS^qsMln), if B' G *B2^sM"''(C°(n)). Thus, it fohows that there exists B' 
such that out^^ q, ^ "^""^f^B' ' "^^^^ proves the claim. ■ 



5.5 Composability 

Several composition frameworks for the quantum setting have been proposed, for instance, 
sequential composability in a classical environment |F S09] , sequential composability in a 
quantum environment but restricted to the BQSM |WW08 , or attempts of generalizing the 
universal classical composability framework (UC in ^CanOl ) to universal quantum compos- 
ability BM04 Unr04,UnrlO . Here, we will briefly investigate our protocols in the particular 



composition frameworks, we consider most appropriate for our setting. 



5.5.1 Sequential Composition 

All our definition for correctness and security of our two-party quantum protocols comply 



with the composition framework of |FS09j as described in detail in Section 3.6 In particular, 
we will show in the next chapter that all of our quantum protocols vr securely implements 



their corresponding ideal functionality J-. Thus, according to the Composition Theorems 3.2 
and 3.3, we arrive at a situation where an outer protocol S'^^'"'^^, composed of possibly 
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different inner sub-protocols vTj, is essentially as secure as any hybrid protocol S-^^ "-^* with 
sequential calls to the corresponding ideal functionalities Ti. Sequential composition in a 
classical environment follows immediately. 



5.5.2 General Composition 

Our strong simulation-based security approach is clearly closely related to the concept of 
universal composability, but our definitions do not imply UC-security. The definitions of 
unconditional security leading to sequential composability do not require the running time of 
ideal- world adversaries to be polynomial whenever the real-life adversaries run in polynomial 
time. Fortunately, by extending our basic commitment construction, we can achieve efficient 
ideal-life adversaries. Therewith, we get efficient simulation on both sides without rewinding 
any dishonest player. 

Note that it might still be the case that our compilation preserves efficiency of the sim- 
ulator, namely if protocol 11 is secure against dishonest A' with efficient simulator A', then 
so is C"(n). Although this would be desirable, it does not seem to be the case for our basic 
construction for the following reason. In order to show such a result, we would need to 
simulate the pre-processing phase against dishonest A' efficiently and without measuring the 
qubits that are not opened during pre-processing. Then after preparation and verification, 
we could give the remaining qubits to A' to simulate the rest of the protocol as specified 
previously. However, the whole point of the pre-processing is to ensure that a real Bob 
measures all qubits, unless he can break the binding property of the commitments. Thus, 
the only way to resolve this situation is to give the simulator some trapdoor with which it 
can make commitments and open them any way it wants, or in other words, to equip the 
simulator with the possibility of equivocate its commitments. 

With such a equivocability trapdoor, the simulation of the verification phase is straight- 
forward. A' just waits until A' reveals the test subset, measures the qubits in the test subset, 
and opens the commitments according to the measurement results. Then, A' simulates the 
protocol with the remaining unopened qubits. Our basic commitment construction, intro- 



duced in Section 4.1, does not provide such an equivocability trapdoor. However, we can 



extend the scheme as discussed in Section 4.1.4 by first extending our mixed commitment to 



the multi-bit crypto-system of PVWOSl and then combining it with an HVZK-S-protocol 



construction for some quantumly hard AAP-relation Tt. As previously shown, equivocability 
emerges in this construction with the simulator's knowledge of a valid witness w such that 
(x, w) € TZ. In that case, the simulator can compute two accepting conversations for the 
S-protocol, and therewith, answer both challenges. The extension preserves the different 
but indistinguishable dual-modes of the underlying commitment scheme such that the com- 
mitted bit can still be extracted by a simulator B', decrypting both commitments Co, C\ to 
determine, which contains a valid reply in the S-protocol. 



In UnrlO a special case of our generic construction, namely the quantum oblivious 



transfer protocol of Section 6.1 is related to the quantum-UC context. It is shown that the 
protocol statistically quantum-UC- emulates its ideal functionality in the case of corrupted 
Alice and corrupted Bob, if it is instantiated with an ideal commitment functionality. Fur- 
thermore, it is established that security as specified in |FS09| implies quantum-UC-security 
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in the case of our OT-protocolJ^ Last, the OT-protocol in its randomized version and when 
instantiated by an unconditionahy binding commitment scheme implements its correspond- 
ing ideal functionality with statistical security in the case of corrupted Bob. Even though 
for the last result the protocol is based on an actual commitment, the case considers only a 
dishonest Bob, and by using an unconditionally binding scheme in the real world, we would 
loose unconditional security against dishonest Alice. 

However, by combining our extended construction as described above with the results 
of Section 4.1.4 and with UnrlO, Theorem 20], we get the following stronger result that 
applies to our generic compiler construction: Let 11 be a BB84-type protocol as specified in 
Theorem 5.1 and let C°(n) be its compilation, instantiated with an extended mixed com- 
mitment construction in the CRS-model as described above. Then, C"(n) computationally 
quantum- UC- emulates its corresponding ideal functionality for both dishonest players. 



^The security we achieve here is called quantum stand-alone security in UnrlO , but we prefer to describe 
the statements in the terms used throughout this work. 
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Applications 



Our compiler, discussed in the previous chapter, can be easily applied to known protocols. 
Here, we show two example applications, namely oblivious transfer and password-based iden- 
tification. Since the original protocols are BQSM-secure, we also obtain hybrid security by 



compilation. These results appeared in DFL"'"09 . We then show that the compiled identi 



fication protocol is secure against man-in-the-middle attacks, which was sketch in DFL+09 
but formal proofs were omitted. 



6.1 Oblivious Transfer 



Oblivious transfer, as introduced in Section 2.4.2, constitutes a highly relevant cryptographic 



primitive, which is complete for general two-party computation and reduces to classical 
commitment in its quantum variant. As a building block it can be securely used in outer 
quantum or classical protocols and extends, for instance, to quantum identification. 



6.1.1 Motivation and Related Work 

As mentioned already, the idea of introducing a Commit&Open-step to improve the secu- 
rity of quantum protocols was suggested in the first quantum OT protocol of Crepeau 
and Kilian |CK88j , which — in its original form — proposes a protocol for Rabin-OT, and in 
the practical follow-up work of Bennett, Brassard, Crepeau and Skubiszewska BBCS9l| , 
implementing 1-2 OT^. The Commit&Dpen approach is sketched as a "conceptually easy 



fix" [BBCSQl p. 14] in a situation where a dishonest Bob has large quantum storage. 
Various partial results for OT in that context followed. For instance 



m 



Yao95| such a 



construction is proven secure against any receiver in the case of noiseless communication. 
To make the proof work, however, an ideal black-box commitment scheme is assumed. This 
approach was then generalized for noisy channels and perfect string commitments in [May96| . 
Another approach in the computational setting was taken in CDMS04 . There it was shown 



that a computationally binding quantum string commitment would enforce an apparent 
collapse of Bob's quantum information, which in turn would imply secure OT. The paper 
concludes with the open question of how to construct an actual commitment scheme as 
required to get an applicable protocol. 



Based on our analysis of Section 5.4, we can now rather simply apply our compiler to (a 



variant of) the protocol in BBCS91 , and therewith, give a complete proof for a concrete 



unconditionally hiding commitment scheme. 
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Functionality Tqj : 
Upon receiving sq and si from Alice and k from Bob, J^oj outputs to Bob. 



Figure 6.1: The Ideal Functionality for String OT. 



Protocol 1-2 QOT* : 
Preparation: 

A chooses x G/j {0, 1}" and 9 £r {+, x}" and sends \x)g to B. B chooses 6 Gji 
{0, 1}" and obtains x G {0, 1}" by measuring \x)q in bases 0. 

Post-processing: 

1. A sends 9 to B. 

2. B partitions all positions 1 < i < n in two subsets according to his choice 
bit k £ {0,1}: the "good" subset 4 := {i : 9i = 9i} and the "bad" subset 

:= {i : 9i 9i}. B sends {Io,Ii) in this order. 

3. A sends descriptions of /o,/i &r T together with mo := sq © /o(2;|/o) and 
mi := s\ e 

4. B computes Sfc = m^ ® 



Figure 6.2: Basic Protocol for String OT. 



6.1.2 The Protocol 



The variant we consider here achieves 1~2 OT^. Recall that in such a protocol, the sender A 
sends two £-bit strings sq and s\ to the receiver B. B can select a string to receive, Sfc, but 
he does not learn anything about s\_}^. Finally, A does not learn B's choice bit k. The ideal 



oblivious transfer functionality J-qt is shown in Figure 6.1 



Our protocol is almost identical to 1-2 OT ^ introduced in BBCS91 , but instead of us 



ing parity va lues to mask the bits in the last protocol message, we follow the approach 
of DFR+O? . Their BQSM-secure protocol RAND 1-2 QOT^ for the randomized version uses 
hash- functions that allow for transferring an ^-bit string instead of a bit as final message. 

Let J- denote a suitable family of two-universal hash-functions with range {0, 1}" — )• 
{0, 1}^ as specified in Definition 3.3, Note that if the input to the function is smaller than n, 
we can pad it with zeros without decreasing its entropy. We further assume that I = [AnJ 
for some constant A > 0. Then, after the modifications described above, we obtain the basic 



1-2 QOT protocol, depicted in Figure 6.2 



Proposition 6.1 Protocol 1-2 QOT^ satisfies correctness and achieves unconditional security 



against dishonest Alice, according to Definitions\3.4\ and 3.6, respectively 



Proof. Correctness for honest players is obvious: B selects one string to receive, which 
is masked by the hashed bit-string of outcomes, measured in the matching basis. In the 
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positions with non-matching bases, he does not know the outcomes, and therewith he does 
not learn anything about si_fc. Finally, A does not learn which is the "good" subset, and 
hence, which is B's choice k. 

Security against dishonest Alice is derived in a straightforward way from RAND 1-2 QOT^ 
of [D FR+07 as follows. Note that in RAND 1-2 QOT^, the receiver measures all his qubits in 



one basis, depending on his choice bit k, i.e. 9 E [0, 1]^- As described previously in Chapterjsj 
our compiler requires measurement in random bases 9 S_r {0, 1}"". Otherwise, the opened 
and tested positions during Coimnit&Open would obviously leak k. 

Due to the non-interactivity in RAND 1-2 QOT^, A' cannot learn B's choice bit /c, so the 
protocol is perfectly receiver-secure. More formally, the proof compares the real output to 
an ideal output, which is obtained by letting A' run the protocol with an unbounded receiver 
who measures his qubits in A"s bases 0, samples independent K from the correct distribution, 
and sets Sk correspondingly. The only difference between the two executions is the point 
in time and the choice of bases, in which positions i G Ii-k is measured. However, these 
parameters do not influence the output states, once K is fixed. 

Now, the preparation phase combined with Step (2.) of the post-processing in 1-2 QOT^ 
is equivalent to B measuring all qubits in the basis, dictated by K. Thus, the same analysis 
can be applied to 1-2 QOT^, achieving unconditional security against A'. ■ 



Theorem 6.1 Protocol 1-2 QOT is unconditionally secure against f3-benign Bob for any j3 < 

1 _ A 

8 2 ■ 

Proof. For any given benign Bob B', we construct B' the following way: B' runs locally 
a copy of B' and simulates an execution by running A up to but not including Step (3.). 
Since B' is benign, B' obtains 9 after the preparation phase. When the simulation of A 
reaches the point just after the announcement of /o and /i in Step (3.), B' finds k' such 
that dH{0\iy,0\iy) is minimum for k' S {0, 1}. B' then calls J-qj with input k' and obtains 

output Sk' ■ B' sets m'y = Sk' ® fk'{x\iki) ^'^'^ "^'i-fc' {*-*' before sending (mo, mi) to 
B'. Finally, B' outputs whatever B' outputs. 

We now argue that the state output by B' is statistically close to the state output by 
B' when executing 1-2 QOT^ with the real A. The only difference is that, while B' outputs 
''T^'i-k' {0) 1}^) B' outputs mi_ki = si-fc' © /i-fc'(^l-fi_fe/)- Thus, we simply have to show 
that mi_fc/ is statistically indistinguishable from uniform in the view of B'. 

Note that, since 9 and 9 are independent and is a uniform n-bit string, we have that 
for any e > 0, 

dni9,9)>^^, 

except with negligible probability. We can now claim that with overwhelming probability 

Now, since B' is /3-benign, we get with Definition |5 . 1 1 that 

H^{X\j^_^, I = x\i^,) > - /3n and Ho{pe) < /3n. 
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Protocol C''(l-2Q0r) : 
Preparation: 

A chooses x £ji {0, 1}'" and 6 £r {+, x}"* and sends \x)q to B. B chooses 9 Gr 
{0, l}*" and obtains x £ {0, 1}™ by measuring \x)g in bases 9. 

Verification: 

1. B sends Cj := coimnitpkH((^j, Xi), ri) with randomness n for alH = 1, . . . , m. 

2. A sends random T C {1, . . . , m} with \T\ = am. B opens Ci W i €z T, and A 
checks that the openings were correct and that Xi = Xi whenever 9i = 9i. If 
all tests are passed, A accepts. Otherwise, she rejects and aborts. 

3. A and B restrict x, 9 and x, 9, respectively, to the remaining n positions i G T. 
Post-processing: 

1. A sends 9 to B. 

2. B partitions all positions 1 < i < n in two subsets according his choice bit 
k £ {0,1}: the "good" subset h := {i : 9i = 9i} and the "bad" subset 
h-k ■= {i ■ (^i / ^i}- B sends {Io,Ii) in this order. 

3. A sends descriptions of /o,/i £r together with mo := so © /o(a;|/o) and 
mx := si © 

4. B computes Sk = ruk ® fk{x\i^). 



Figure 6.3: Improved Protocol for String OT. 



It follows from privacy amplification (Theorem 3.1) that fi-k'{x\i-^_y) is statistically indis- 
tinguishable from uniform for B', provided that 



£ 1 
n 4 



2/3 



for any e' > 0. Finally, by the properties of exclusive-OR, we can now also conclude that 
mi_y is statistically close to uniform. Solving the last inequality for /3, we obtain 



1 



A 
2 



2 ' 



and Theorem 16.11 follows. 



Informally, the next Corollary 6.1 states that, when compiling the basic protocol 1-2 QOT , 



we obtain an improved protocol ^^(1-2 QOT ) with hybrid security., such that a dishonest Bob 
is required to have large quantum computing power and la rge quantum storage to succeed. 
For completeness, C"(l-2Q0T^) is given explicitly in Figure 



6.3 



Corollary 6.1 If X < ^, then protocol {1-2 QOT^) is computationally secure against dis- 
honest Bob and unconditionally secure against ^{\—a)-BQSM Boh with 7 < | — 2A. Correct- 
ness and unconditional security against dishonest Alice is maintained during compilation. 
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Proof. The corollary is obtained by the following steps: First, we sketch that the analy- 
sis of protocol RAND 1-2 QOT^ in [DFR+OT] can be almost analogously applied to 1-2 QOT^. 
Then, we combine this result with our BQSM-theorem (Theorem 5.2). And finally, we apply 
Theorem 6.1 with our compiler-theorem (Theorem 5.1). Note that, by definition, all these 
transformations do not touch correctness nor unconditional security against A'. 

In more detail, the main difference from RAND 1-2 QOT^ to 1-2 QOT^ is that B measures all 
his qubits in the basis corresponding to his choice bit k, i.e. 9 G [0, 1]^. Since we require 
these measurements to be in random bases 9 Gpt {0,1}", we loose the non-interactivity and 
must include the additional message (Io,/i) from B to A in Step (2.), so that A obtains 
the same partitions. However, the partitions are send in fixed order and do not allow to 
conclude on the "good" subset Ik- No other message is sent by B. Furthermore, recall that 
in randomized OT, A does not input the two messages so,si herself by masking them with 
the hashed output of the measurement outcomes. Instead, only these hash-values, generated 
uniformly at random during the protocol, are output. However, due to the characteristic of 
exclusive-OR, the security properties in this aspect do not change. 

Thus, 1-2 QOT^ inherits the BQSM-security of RAND 1-2 QOT^, and we can claim that 
1-2 QOT^ is unconditionally secure against 7-BQSM Bob for all 7 strictly smaller than | — 2A. 
Then, by Theorem 5.2, we obtain unconditional security for C"(l-2Q0T^) against 7(1 — 0)- 
BQSM Bob. 



6.1 



we know from Theorem 
benign Bob for /3 < g — f . It follows with Theorem 



that 1-2 QOT is unconditionally secure against a /?- 



5.1 



that Commit&Open, instantiated by our 
dual- mode commitment scheme, leads to quantum-computational security for C"(l-2Q0T^) 
against any B'. ■ 



6.2 Password-Based Identification 



Password-based identification is introduced in Section 2.4.3, where we also describe a con- 



struction from randomized l~n OT , and the therewith inherited OT-security aspects. Secure 
identification is highly significant in any authenticated set-up of outer protocols, and may 
provide re-usability of the initial user-memorizable passwords, if cleverly implemented. 



6.2.1 Motivation and Related Work 

There exist various approaches for classical and quantum identification, based on different 
techniques, e.g. on zero-knowledge FS86[|FFS87 , on password-based key-agreement KOYOl] , 



cation scheme of DFSS07 



and on quantum memory restrictions |DFSS07 . Here, we will subject the quantum identifi- 



denoted in the following by BQSM-QID, to our compiler technique, 
yielding more diverse security assumptions. BQSM-QID was proven to be unconditionally se- 
cure against arbitrary dishonest Alice and against quantum-memory-bounded dishonest Bob 
by using quantum-information-theoretic security definitions. In fF S09] it was then shown that 
these security definitions imply simulation-based security as considered here, with respect to 



the functionality J-\d given in Figure 6.4 Actually, the definition and proof from DFSS07 



guarantee security only for a slightly weaker functionality, which gives some unfair advan- 
tage to dishonest Alice in case she guesses the password correctly. However, as discussed 
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Functionality J"id : 
Upon receiving wa,wb G W from Alice and Bob, respectively, T\d outputs the bit 
y '■= (wa — wb) to Bob. In case Alice is dishonest, she may choose wa = -L (where _L ^ W), 
and (for any choice of wa) the bit y is also output to Alice. 



Figure 6.4: The Ideal Functionality for Password-Based Identification. 



in [FS09 , the protocol from DFSS07 does implement functionality T\d. 



6.2.2 The Protocol 

Recall that we require from an identification scheme that a user A succeeds in identifying 
herself to a server B, if she knows an initial, secret password w. Additionally, a dishonest 
user A' should not succeed with higher probability than at a guess, and similarly, a dishonest 
server B' should be only able to guess A's password without learning anything beyond the 
(in) correctness of his guess. These last requirements provide re-usability of the password. To 
achieve security under realistic assumptions, we further want to allow memorizable passwords 
with low entropy. 

Let W be the set of possible keys, not necessarily large in size, with w G W denoting 
the initially shared password. For clarity, we will often use wa and wb to indicate A's and 
B's input to the protocol, and only accept if wa = wb, which implies equality to w. Let 
c : W — 7- {-|-, x}"" be the encoding function of a binary code of length n with |W| codewords 
and minimal distance d. Families of codes as required for our subsequent results, correcting 
a constant fraction of errors efficiently and with constant information rate are indeed known 
[SS96 . And finally, let J- and Q denote suitable families of (strongly) two-universal hash- 



functions, as specified in Definition 3.3 with range J- : {0, 1}" — )• {0, 1}^ and ^ : W — )• {0, 1}^ 
respectively. Again we stress that we can pad the input to the functions with zero, if it is 
smaller than expected. 

We cannot directly apply our compiler to the original BQSM-QID, since it is not a BB84- 



type protocol. Similar to RAND 1-2 QOT described in the previous Section 6.1 B does not 
measure the qubits in a random basis but in a basis-string c determined by his password 
Wb G W by c = c{wb)- After A's basis announcement, both players compute set Iw = {i : 
9i = c{w)i} with the positions on which they base the last steps of the post-processing. 

We briefly sketch now the transformation from BQSM-QID into a BB84-type protocol, 
without affecting security and without loosing efficiency. The first step is naturally to let 
B measure in random basis 9 E/j {-|-, x}". The most straightforward next step would be 
to include a new message from B to A during post-processing, in which B announces Ib = 
{i : 9i = (.{w)i\. Then, A sends 9 and the remaining post-processing could be conducted 
on = {i G : 9i = 9i}. Note, however, that this solution here is less efficient than in 
the original protocol, since only approx. 1/4 of all measurement outcomes could be used. So 
instead, we let Bob apply a random shift k to the code, which B announces to A in the post- 
processing phase, namely 9 = c{w)(Bk with n G {-|-, x}" and -|- = and x = 1 for computing 
the ©-operation. Then, we define c'{w) := c{w)(Bk,- Finally, after A's announcements of 9 the 
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Protocol QID : 
Preparation: 

A chooses x {0, l}" and 9 Gj? {+, x}" and sends to B. B chooses 6 
{0, 1}" and obtains x G {0, 1}"" by measuring \x)g in bases 9. 

Post-processing: 

1. B computes a string n £ {+, x}" such that 9 = c{w) © k, where we think of 
+ as and x as 1 so that ® makes sense. He sends «; to A and we define 
c'{w) := c{w) ® K. 

2. A sends 9 and / £r T to B. Both compute 1^ ■= {i : 9i = c'{w)i}. 

3. B sends g Gr Q. 

4. A sends z := ® g{w) to B. 

5. B accepts if and only if z = f{x\i^) ® g{w). 



Figure 6.5: Basic Protocol for Password-Based Identification 



protocol is completed with the shifted code, i.e., based on positions in 1^ {i ■ 9 = c'{w)i}. 
This has the effect that the post-processing is actually based on positions i with 9i = 9i, 
and thus, on approx. 1/2 of all qubits as in protocol BQSM-QID. Our resulting protocol QID 



is described in Figure 6.5 We show in the following proofs that the modification does not 



affect security as given in |DFSS07] (and |FS09| ) 



Proposition 6.2 Protocol QID satisfies correctness and achieves unconditional security against 



dishonest Alice, according to Definitions 3.4 and 3.6, respectively. 



Proof. Correctness for honest players is obvious: If both A and B know w, i.e. wa = wb, 
they can compute c{w) and c'{w). Following the last steps as supposed to, they conclude 
with f{x\ij ® g{wA) = f(.x\ij ® g{wB). 

Security against dishonest A' is derived in a straightforward way from BQSM-QID as follows. 
Recall that in BQSM-QID, B measures all his qubits in one basis, depending on c = c{w). In 
QID, the preparation phase combined with Step (1.) of the post-processing, where B sends 
K, can be seen as an equivalent situation from the view of A'. The important positions are 
now defined by c'{w), which is however only deducible if c{w) is known in addition, since 
otherwise, k, looks completely random. All subsequent steps are exactly as in BQSM-QID, 
and thus, the same analysis can be applied to QID. In the following, we will sketch the 
intuitive idea thereof. A' runs the protocol with a memory-unbounded server who measures 
his qubits in A"s bases 9 and therefore obtains x. He then computes sj = f{x\i.) ® g{j) for 
all codewords j = 1, . . . , |VV|, where Sw would be expected from A' for an accepting run of 
the protocol. By the strongly universal-two property of g, all Sj are pairwise independent, 
and thus, it follows that all Sj's are distinct, except with some negligible probability. Assume 
that the accepting message is one of the s^'s for a random variable w' , i.e. z = s^/. A' will 
only succeed, if w' = w, and A' does not learn anything beyond that. A further analysis 
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of A"s state before the final accept /reject-message shows its independence from w, given w' 
and conditioned on w' ^ w and on the pairwise distinction of all Sj's. And finally, for A"s 
state after the final message it is shown that the event of all distinct Sj's is independent of 
w and w' . Statistical security against A' follows. ■ 



Theorem 6.2 // c : W — t- { + , x}" has minimal distance d > 6n and is polynomial-time 

5 
4- 



decodeable, then protocol QID is unconditionally secure against /3-benign Bob for any (3 < ^ 



Proof. For any given benign Bob B', we construct B' as follows. B' runs locally a copy of B' 
and simulates Alice's actions by running A faithfully except for the following modifications. 

After the preparation phase, B' gets 6 and k from B'. It then computes w' €z W such that 
c{w') has minimal Hamming distance to 6(Bk. Note that this can be done in polynomial-time 
by assumption on the code. Then, B' submits w' as input wb to J^id and receives output 
y G {0, 1}. If y = 1, then B' faithfully completes A's simulation using w' as w. Otherwise, B' 
completes the simulation by using a random z' instead of z. In the end, B' outputs whatever 
B' outputs. 

We need to show that the state output by B' (respectively B') above is statistically close 
to the state output by B' when executing QID with real A. For simpler notation, we use w for 
honest Alice's input wa- Note that if w' = w, then the simulation of A is perfect and thus 
the two states are equal. If w' ^ w then the simulation is not perfect, as the real A would use 
z = f{x\j^) (B g{w) instead of random z' . It thus suffices to argue that f{x\j^J is statistically 
close to random and independent of the view of B' for any fixed w ^ w' . Note that this is 
also what had to be proven in [DFSS07 , but under a different assumption, namely that B' 



has bounded quantum memory, rather than that he is benign. Nevertheless, we can recycle 
part of the proof. 

Recall from the definition of a benign Bob that the common state after the preparation 
phase is statistically close to a state for which it is guaranteed that Hoo{X\i) > dniOli, 0\i) — 
f3n for any / C {1, . . . , n}, and Hq{pe) < /3?^. By the closeness of these two states, switching 
from the real state of the protocol to the ideal state satisfying these bounds, has only a 
negligible effect on the state output by B'. Thus, we may assume these bounds to hold. 

Recall that © k is at Hamming distance at most d/2 from (.{w'). Since the distance 
from here to the (distinct) codeword c{w) is greater than d, we see that © k is at least d/2 
away from c{w). It follows that c'{w) = c{w) © k has Hamming distance at least d/2 from 
9. Furthermore, for arbitrary e > and except with negligible probability, the Hamming 
distance between 9\i^ = c'{w)\j^ and 6\j^ is at least d/A — en. Therefore, we can conclude 
that 

Hoo{X\iJ > d/4 -en-l3n and Hq{pe) < . 

We require Hoo{X\j^) — Hq{pe) — ^ to be positive and linear in n, which is the case here for 
parameters 

/3n < d/8- (e/2) n-l/2. 

We conclude by privacy amplification that /(x|/^) and therewith z are close to random and 
independent of -E, conditioned onw ^ w. This concludes the proof. ■ 
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The next corollary informally states that, when applying our compiler to the basic pro- 
tocol QID, we obtain a hybrid-secure protocol C'^(l-2 QOT^). Thus, any dishonest Bob needs 
large quantum computing power and large quantum storage to launch a successful attack. 



For completeness, we again give C"(QID) explicitly in Figure 6.6 



Corollary 6.2 // \W\ < 1"'^ , and i/ c : W — > {+, x}" has minimal distance d > 5n for 
6 > and is polynomial-time decodeable, then protocol C"(QID) is computationally secure 
against dishonest Bob and unconditionally secure against j{l — a)-BQSM Bob with 7 < 
I — I/. Correctness and unconditional security against dishonest Alice is maintained during 
compilation. 



Proof. We can show hybrid security by first adapting and connecting the results of DFSS07 



with our BQSM-Theorem 5.2, and then combining Theorem 6.2 with our compiler theorem 



(Theorem 5.1). All definitions preserve correctness and unconditional security against A'. 



In more detail, the main difference from BQSM-QID of DFSS07 to QID is that B measures 
all his qubits in the bases corresponding to c = c{wb)- Then after A's basis announcement, 
both players base the remaining post-processing on 1^ = {i 9i = c{w)i}. In QID instead, B 
measures in random bases, computes 9 = c{w)®k, and announces k to A. Then after A's basis 
announcements, the protocol is completed based on positions in 1^ := {i : 9 = c'{w)i} with 
c'{w) := c{w) © K. Note that both situations however are equivalent. First, the important 
positions are those i where 9i = 9i in both cases. And second, k looks completely random 
and is of no value without the knowledge of c{w). 

Thus, QID inherits the BQSM-security of BQSM-QID, and we can claim that QID is uncon- 
ditionally secure against 7-BQSM Bob for all 7 < | 
security of C"(1-2Q0T' 
rem 



u. 



From Theorem 



5.2 



unconditional 



6.2 



against 7(1 — a)-BQSM Bob follows. QID is guaranteed by Theo- 
to achieve unconditional security against a /3-benign Bob for /3 < 4 and it follows 



with Theorem 5.1 that Commit&Open, instantiated by our dual-mode commitment scheme. 



yields quantum-computational security for C"(QID) against any B'. 



6.3 Man-in-the-Middle Security for Identification 

In a man-in-the-middle attack, we assume an external adversary who attacks an execution of 
the protocol with honest communicating parties, while having full control over the classical 
and the quantum communication. 



6.3.1 Motivation 



The compiled quantum protocols from Sections 6.1 and 6.2 protect against (arbitrary) dis- 
honest Alice and against (computationally or quantum-storage bounded) dishonest Bob. 
However, in particular in the context of identification, it is also important to protect against 
a man-in-the-middle attacker Eve (E). Both, QID and C"(QID), are insecure in this model. 
Eve might measure one of the transmitted qubits, say, in the +-basis, and this way learn 
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Protocol C"(QID) : 
Preparation: 

A chooses x {0, 1}" and 9 {+, x}" and sends \x)g to B. B chooses 9 Gr 
{0, 1}" and obtains x G {0, 1}" by measuring \x)g in bases 9. 

Verification: 

1. B sends Cj := coiiiiiiitpkH((^i, with randomness Vi for alH = 1, . . . , m. 

2. A sends random T C {1, • • • ,m} with |r| = am. B opens Ci^ i e T, and A 

checks that the openings were correct and that Xi = xi whenever 9i = 9i. If 
all tests are passed, A accepts. Otherwise, she rejects and aborts. 

3. A and B restrict x, 9 and x, 9, respectively, to the remaining n positions i 
Post-processing: 

1. B computes a string k G {+, x}"^ such that 9 = c{w) © n, where we think of 
+ as and x as 1 so that © makes sense. He sends /c to A and we define 
c'{w) := c{w) © K. 

2. A sends 9 and f ^rF to B. Both compute ly, := {i : 9i = c'{w)i}. 

3. B sends g Gr Q. 

4. A sends z := f{x\i^) © g{w) to B. 

5. B accepts if and only if z = f{x\i^) © g{w). 



Figure 6.6: Improved Protocol for Password-Based Identification 
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information on the basis 9i used by B, and thus on the password w, simply by observing if 
B accepts or rejects in the endj^ 

In [DFSSOf] it was shown how to enhance BQSM-QID in order to obtain security (in 
the bounded-quantum-storage model) against man-in-the-middle attacks. The very same 
techniques can also be used to obtain hybrid security against man-in-the-middle attacks for 
C°(QID). The techniques from |DFSS07) consist of the following two add-on's to the original 
protocol. 

1. A test on a random subset of qubits in order to detect disturbance of the quantum 
communication. 

2. Authentication of the classical communication. 

First note that C°(QID) already does such a check as required in Point (1.), namely in the 
verification phase, so this is already taken care of here. Point (2.) requires that Alice and 
Bob, in addition to the password, share a high-entropy key k that could be stored, e.g. on a 
smart-card. This key will be used for a so-called extractor MAC. Besides being a MAC, i.e. 
a message authentication code, such a construction has the additional property that it also 
acts as an extractor. This means that if the message to be authenticated has high enough 
min-entropy, then the key-tag pair is close to randomly and independently distributed. As 
a consequence, the tag gives away (nearly) no information on k, and thus, k can be re-used 
in the next execution of the protocol]^ For further details, we refer to DFSS07 DKRS06 . 



More specifically, in order to obtain hybrid security against man-in-the-middle attacks 
for C°^(QID), a will, in her last move of the protocol, use the extractor MAC to compute 
an authentication tag on all the classical messages exchanged plus the string x\i^. This, 
together with the test of a random subset, prevents Eve from interfering with the (classical 
and quantum) communication without being detected, and security against Eve essentially 
follows from the security against impersonation attacks. Note that including the x\j^ into 
the authenticated message guarantees the necessary min-entropy, and as such the re-usability 
of the key k. 

We emphasize that the protocol is still secure against impersonation attacks (i.e. dishonest 
Alice or Bob), even if the adversary knows k, but with slightly weaker parameters due to 
the "entropy- loss" within x\i^, caused by the additional information for authentication and 
private error correction that is now available. 

6.3.2 The Set-Up 



In addition to the previous setting in Section 6.2, we now have the following assumptions. 



Let MAC* : /C x M — t- {0,1} be the extractor MAC with arbitrary key space /C, message 
space A4 and error probability 2~^. Its extractor property guarantees that for any message 
M and quantum state E (which may depend on M), the tag T = MAC*{K, M) of M is such 
that pTKE is 2-(^-(*^)-^o(^i=)-^)/2-close to hi® pk® Pe- Recall that c : W ^ {+, x}" 



^Note that this attack does not immediately apply to the scheme sketched in the previous section, but 
similar, however more sophisticated, attacks may still apply. 

^This is in sharp contrast to the standard way of authenticating the classical communication, where the 
authentication key can only be used a bounded number of times. 
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Functionality : 
The ideal functionality ^72?+ receives pairs of strings {wa, kA) and {wB,kB) from honest 
Alice and Bob, and a string we from Eve, where wa-,wb £ W and k £ IC. If we = wa, 
then J^jEi+ sends (correct, kA) to Eve. Otherwise, sends incorrect. Last, Eve is 

asked to input an "override bit" d, and J^j£)+ outputs the bit {wa = wb) /\d to Bob and 
to Eve. 



Figure 6.7: The Ideal Functionality with Man-in-the-Middle Security. 



is the encoding function of a binary code with minimal distance d, and we have strongly 
universal-2 classes of hash-functions : {0, 1}" — ^ {0, 1}^ and ^ : W — ^ {0, 1}^. 

In order to do error correction, let {synj}j,^j be the family of syndrome function^ cor- 
responding to a family C = {Cj}j^j of linear error correcting codes of size n' = n/2, where 
n = (1 — a)m. We require the property that any Cj allows to efficiently correct a i;^"-fraction 
of errors for some constant (p" > 0. For a random j E J', the syndrome of a string with t 
bits of min-entropy is 2^4(*^2'j)-close to uniform given j and any quantum state with max- 
entropy at most q. We refer to DS05 , DFSS07, FS08 for the existence of such families and 
example constructions. Protocol C"(QID+) can tolerate a noisy quantum communication up 
to any error rate (j) < 4>" . We stress that for security against man- in-the- middle attacks, error 
correction with (p" > needs to be done even if we assume perfect quantum communication 
(with (j) = 0), as should become clear from the analysis of the protocol given below. Finally, 
we let 6' be a constant such that 6 < 6' < 6" . 



The ideal functionality J'j£)+ is given in Figure 6.7 The following definition captures 



unconditional security against a man-in-the- middle attacker, where E gets classical W and 
quantum state E as input and both honest players A and B get classical input W and K. 
The joint state is then of the form 



PKWW'E\W'y^W — PK ® Pw^W'^E\W'jiW ■ 

Note that we require that the adversary's quantum register E is correlated with the honest 
players' parts only via her classical input W , conditioned onW^ W . 

Definition 6.1 (Unconditional security against a Man-in-the-middle) A protocol 
n implements an ideal classical functionality T unconditionally securely against a man-in- 
the-middle attacker, if for any real-world adversary E, there exists an ideal-world adversary 
E, such that, for any input state as specified above, it holds that the outputs in the real and 
the ideal world are statistically indistinguishable, i.e.. 



''Note that we have the following convention: For a bit string y of arbitrary length, synj(y) is to be 
understood as synj{yO • ■ • 0) with enough padded zeros if its bit length is smaller than n' , and as {synj{y'),y") , 
where y' consist of the first n' and y" of the remaining bits of y, if its bit length is bigger than n'. 
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Computational security against a man-in-the-middle is defined as follows. For a given 
value of the security parameter m, the common reference string uj is chosen at first. The 
polynomial-size input sampler takes as input m and cj and samples an input state of the 
form 

PWaKaWbKbZE = PWaKaWbKb^Z^E , 

where honest Alice gets as input password Wa, honest Bob gets Wb, and Eve's quantum 
register E is correlated with the honest player's part only via her classical input Z. In 
addition to their passwords Wa, Wb, the honest players are given high-entropy keys Ka,Kb- 
We restrict the input sampler to choose Ka uniformly at random from fC and guarantee that 
Ka = Kb whenever Wa = Wb- 

Definition 6.2 (Computational Security against a Man-in-the-middle) A protocol 
n implements an ideal classical functionality T computationally securely against a man-in- 
the-middle attacker, if for any poly-time real-world adversary E who has access to the common 
reference string to, there exists a poly-time ideal-world adversary E, not using uj, such that 
for any input sampler as described above, it holds that the outputs in the real and the ideal 
world are quantum- computationally indistinguishable, i.e., 

o^^*A,B,E ^ out I" - - . 



6.3.3 The Protocol 



6.3 



states 



The extended and compiled protocol C"(QID"'") is depicted in Figure 6.8 Corollary ^ 
hybrid security against man-in-the-middle attacks, such that a computationally or quantum- 
storage bounded Eve can do no better than trying to guess the password. If the guess is 
incorrect, she learns (essentially) nothing. 

Corollary 6.3 Assume that |W| < 2'''" and that c : W — t- {+, x}" has minimal distance d > 
6n for 6 > and is polynomial-time decodeable. Then, protocol C"(QID"'") is computationally 
secure against Eve with {3 < ^, and unconditionally secure against ^{l — a)-BQSM Eve with 
-i<\-v-U. 



We split the proof of Corollary 6.3 into two parts. First, we show computational security 



in Proposition 6.3, and second, we show unconditional security in the bounded-quantum- 



storage model in Proposition |6.4[ 

Proposition 6.3 Let c : W — t- {+, x}" have minimal distance d > 6n and be polynomial- 
time decodeable. Then, C"(QID+) is computationally secure against Eve with /3 < |, according 
to Definition [gj 



Proof. We start with the real-life execution of C"(QID+) with honest A and B with respec- 
tive inputs {wA,kA) and {wB,kB), and a man-in-the-middle attacker E. We then modify it 
step by step without (essentially) changing the common output state, such that in the end 
we have a simulation of the protocol as required. 

First, we change the action of B in that we assume that B learns in the final step of 
C°(QID^) "by magic" whether one of the classical messages communicated was modified by 
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Protocol C°(QID+) 

Preparation: 

A chooses x £r {0, l}*" and 9 {+, x}™ and sends \x)q to B. B chooses 6 
{0, 1}™" and obtains x G {0, l}™ by measuring \x)q in bases 9. 

Verification: 

1. B sends q := commit ((^j, Xi), ri) with randomness for i = 1, . . . , m. 

2. A sends random T C {1, . . . , m} with |r| = am. B opens Ci ^ i & T, and A 
checks that the openings were correct and that whenever 9i = 9i. A 
accepts, if this is the case for all but a (?!)'-fraction of the tested bits. Otherwise, 
she rejects and aborts. 

3. A and B restrict x, 9 and 9, x,respectively, to the remaining n positions i eT. 
Post-processing: 

1. B computes a string k G {+, x}" such that 9 = c{w) © k. He sends k to A 
and we define c'{w) := c{w) © k. 

2. A sends 9, f Er 7, j Gr J, and syn = synj{x\i^), where 1^, := {i : 9i = 
c'{w)^}. 

3. B sends g £r Q. 

4. A sends z := f{x\i^) © g{w) to B. Additionally, she sends the authenti- 
cation tag of all previously transmitted classical information, i.e. tag* := 
MAC^{9,j, syn, f,g,z,K,T,test,x\iJ with test = {{ci,Xi,9i,ri)}i^T- 

5. B uses ,syn to correct the errors within x\i^, and he accepts if and only if tag* 

verifies correctly and z = f(T\i„.) ® fl(ii')- 



Figure 6.8: Extended and Compiled Protocol for Password-Based Identification. 
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E and whether wa = wb or not. He accepts the execution if none of the messages was 
modified, if wa = wb, and if z verifies correctly. This changes the outcome of the protocol 
only by a negligible amount. Indeed, if wa = wb, the restriction on the input sampler 
guarantees that kA = kB and the claim follows from the security of the MAC. If wa wb, 
then B rejects anyway in both versions, except with negligible probability. 

Next, we further change the action of B in that B accepts the execution in the final step 
of C"(QID"'") if none of the messages was modified and if wa = wb (without verifying z). We 
argue that this modification does not change the common output state, up to a negligible 



amount. Note that by Lemma 5.1, we may replace the real state consisting of the qubits 
obtained by A and the choice of T and T' = {i £ T : 9i = 9i} hy a. negligibly close ideal state 
(with the same T and T') such that the error rate within T' , i.e. the fraction of i G T' with 
Xi 7^ Xj, gives an exact upper bound on the error rate outside of T. Thus, it follows that if 
A does not reject during verification, then B will recover the correct string x\i^ in the final 
step (except with negligible probability) and correctly verify z if and only if wa = wb- 

The next modification is that B runs the modified protocol with some "dummy input" 
instead of his real input wb, but he still accepts only if wa equals his real input wb and 
no transmitted message was modified by E. Since B does not reveal any information on his 
input before the last step, this modification does not change the common output state at all. 
We write B* for this modified B. 

As last modification, we choose an unconditionally binding key pkB as reference string, 
together with the decryption key sk. The new common output state is computationally 
indistinguishable from the previous one by assumption on the commitment keys. 

Now, this modified protocol can be simulated by an ideal-life adversary E via the follow- 
ing two arguments. 

(1) E ca n simulate A as B' does in the proof of security against dishonest Bob (see Theo- 
rem 6.2 ) by sampling unconditionally binding key pkB, such that E also knows the decryption 
key sk, extracting wb from B's commitments, and inquiring the ideal functionality J^jb+- 
In more detail, upon receiving k from B, E attempts to decode the string 9 (B k. If this is 
successful (a codeword at distance at most d/2 is returned), it computes the password w' 
such that c{w') is the decoded codeword. If decoding fails, E chooses an arbitrary w' . It then 
sends w' to J^fD+ ■ 

If the functionality replies by (correct, /c^), then E completes the simulation by following 
the protocol with inputs w' = wa and kA- In that case, the simulation is perfect and the 
final outputs are equal. 

In case the extracted password w' does not match wa, E follows the protocol but uses 
random values syn' , tag* and z' . Note that the real A would use z = /(x|/^^) © g{wA) 
instead of random z' . Thus, we have to argue that f{x\i^^) is statistically close to random 
and independent of the view of E (for any fixed w'). Recall that the common state after the 
verification phase is statistically close to a state for which it is guaranteed that Haa{X\i) > 
dH{Q\ii ^|/) — /3n for any / C {1, . . . , n}, and Hq{pe) < /3re. Hence, switching between these 
two states has only a negligible effect on the final output, and thus we may assume these 
bounds also to hold here. By the way w' was chosen, it is guaranteed that 9®k has Hamming 
distance at most d/2 from c{w'), which is at distance greater than d from c{w). Thus, the 
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Hamming distance between 9®k and c{w) is at least d/2, except with negligible probability. 
The same holds if decoding fails, since © k is at least d/2 away from any codeword and 
c{w)®ii has distance at least d/2 from 0. It follows that the Hamming distance between 0\i^^ 
and is at least [d/ A — £)n. Therefore, we can conclude that Hao{X\i^^) > d/ A — en — fin. 

Finally, note that by the property of the code family as described previously, it follows 
that if Hoo{X\i^^) > 2Hq{pe) with a linear gap, then syn is close to uniformly distributed 
from E's point of view. Then, from the extractor property of MAC* , it follows that tag* is 
essentially random and independent of k, f,test,T,w,w' ,9 and E, conditioned on w w' . 
And further, privacy amplification guarantees that f{x\i^^) is uniformly distributed and 
thus z is close to random and independent of E (conditioned on wa w'). Now, given the 
two ^-bit strings tag* and z, the bound on the min-entropy is slightly reduced by 2i. 

(2) E can also simulate modified B* up to before the final step, as B* uses a "dummy input" . If 
simulated A rejects in the verification, or E has modified one of the communicated messages, 
then E sends "override bit" d = to the ideal functionality. Otherwise, it sends d = 1 
and therewith learns, whether wa = wb or not. In both cases, E can easily complete the 
simulation for B*. The claim follows. ■ 



Proposition 6.4 // |yV| < 2^^", then protocol C"(C1ID^) is unc ondi tionally secure against 
j{l — a)-BQSM Eve with j < i — v — 2i, according to Definition 



6.1 



Proof. Here, we can reason similarly to the proof in DFSS07 against a man-in-the-middle. 
By the security of the MAC, E cannot modify any classical message without being de- 
tected (and the extractor property guarantees re-usability). Therefore, one can show security 
against E up to the point before B announces whether to accept the protocol execution or 
not. 

In order to show security even after B has announced his decision, one can make the 
following case distinction. If E modifies the quantum communication in such a way that she 
only introduces a few errors in the test set, then she also only introduced a few errors in the 
remaining positions, except with small probability. Those positions will be corrected by the 
error correction, and thus, B accepts — independent of what w is. In the other case, namely 
if E modifies the quantum communication in such a way that she introduces many errors in 
the test set, then A rejects already early in the protocol — independent of what w is. Hence, 
this case distinction does not depend on w. It follows that B's announcement of whether he 
accepts or rejects gives away no information on w. 

Let w' denote E's guess on the password. Then, if w' / has d/4 — bits of 

entropy, given w., w' and 9. Furthermore, given tag* and f{x\i^^), the min-entropy is reduced 
by 2i. By the properties of the code family and the privacy amplification property of MAC* 
and the hash-function, we get that syn as well as tag* and / are essentially random and 
independent, conditioned on w / w' , for 7 < d/4 — u — 2£. ■ 



Part III 



Cryptography in the Quantum 

World 



o 



Introduction 



In this part of the thesis, we want to investigate classical cryptography in the quantum world, 
which means that we consider the security of classical protocols subject to quantum attacks. 
This scenario is of practical importance and independent of any progress towards large-scale 
quantum computing. In the following sections, we introduce various commitment schemes 
and extended variants thereof, which we will use as underlying constructions of the protocols 
in the subsequent chapters. 



In Chapter [8j we show that a quantum-secure bit commitment, as discussed in Section 7.1 
implies a quantum-secure single coin-flip. Then, we will use the mixed commitments, de- 
scribed in Part [TH Se ction 4.1 together with a variation of its extended construction (de- 
scribed in Section 7.2) to equip the underlying commitment construction with extraction and 
equivocability such that we achieve an efficiently simulatable and more general composable 
single coin-flip. 

In Chapter[9j we propose a framework for the quantum-secure amplification of the security 
degree of coins, where we rely on the mixed commitments of Section 4.1 One step towards a 
fully simulatable coin-flipping protocol, however, requires an extended construction allowing 
for an untypical way of opening a commitment in that, instead of sending the plaintext, we 
do a trapdoor opening (Section 7.3). 

In Chapter 10, we show different example applications, where the interactive generation 
of coins at the beginning or during outer protocols results in implementations without set-up 
assumptions and allows for quantum-secure realizations of classical schemes. 



7.1 Regular Bit Commitment 

In Chapter l8l we will show a natural and direct translation of standard coin-flipping to 



the quantum world. Recall from Section 2. 4. 1| that commitments imply coin-flipping. More 



specifically, we require an unconditionally binding and quantum- computationally hiding bit 
commitment scheme from A to B that takes a bit and some randomness r of length i as input, 
i.e. commit : {0, 1} x {0, 1}^ — )■ {0, 1}*. As discussed, the unconditionally binding property 
is fulfilled, if it is impossible for any forger to open one commitment to both and 1, 
i.e. to compute r,r' such that commit (0,r) = commit (1, r') . Quantum-computationally 
hiding is ensured, if no quantum distinguisher D can distinguish between commit (0, r) and 
commit (l,r') for random r,r' with non-negligible advantage. Note that we will use this 
simple notation for the commitments in the following sections. For a specific scheme, the 
precise notation has to be naturally adapted. 
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For an actual instantiation we can use, for instance, Naor's commitment based on a 



pseudorandom generator Nao91 . A pseudorandom generator is a function that maps a 
short, randomly chosen seed to a long pseudorandom sequence, which is computationally 
indistinguishable from a truly random string for any polynomial-time bounded adversary. 
Informally speaking, pseudorandomness ensures unpredictability of the next bit in the se- 
quence after learning the previous one. There are two main arguments for commitments 
based on pseudorandomness. First, this construction does not require any initially shared 
information between the players. This aspect is of particular importance, when we later 
propose sequential coin-flipping for actually implementing the CRS-model assumption, and 
therewith, implementing other functionalities from scratch without any set-up assumptions. 
The second reason relates to our claim of quantum security. Given any one-way function, 
pseudorandom generators can be constructed, where its security parameter is defined by the 
length of the seeding key. A brute-force search through the key space would find all seeds, 
and thus, all pseudorandom sequences could be computed. Now, under the assumption of a 
quantum-secure one-way function, Grover's optimal quantum search algorithm provides only 
quadratic speed-up for brute-searching. More efficient attacks are not known, and therewith, 
we claim that for any poly-time bounded quantum adversary, we achieve quantum-secure 
schemes. 



More formally Nao91 , let f{n) denote a function with f{n) > n. Then, G : {0, 1}" — )• 
{0, Ij-^^") defines a pseudorandom generator, if for all polynomial-time (quantum) distin- 
guisher V, it holds that 

\Pr[V{y) = 1] - Pr[V{G{s)) = l]\ < e , 

where y {0, s {0, 1}", and e is negligible in the security parameter n. A bit 

commitment scheme using pseudorandomness is now constructed as follows. Let a be the 
bit to which Alice wants to commit, and let Gj(s) denote the ith bit of the pseudorandom 
sequence on seed s. To ensure the binding property, the receiver Bob sends a random vector 
Rb = (^'i; • • • 1 f^n) where £r {0, 1} for 1 < i < 3n. Alice selects s Gr {0, 1}" and sends 
the vector ii^ = {r[, . . . , r'^^), where 



/ 

r. 
' 1 



To open the commitment, Alice sends s and Bob then verifies that for all i, = for 
Tj = and r'- = Gi{s) © a for = 1. 

Assuming that a dishonest receiver is polynomial-time bounded, he cannot learn anything 
about a. Otherwise, he could be used to construct a distinguisher V between pseudoran- 
dom and truly random outputs. This also holds in the quantum world, since the reduction 
does not require rewinding. It follows that any quantum-computationally bounded receiver 
can only guess a with probability essentially 1/2, so the commitment scheme is quantum- 
computationally hiding. 

For any (unbounded) dishonest committer, opening a commitment to both values and 
1, requires a seed pair (si, S2), such that sequences G3„(si) and G3„(s2) agree for all i where 
ri = and disagree for all i where rj = 1, i.e. ri = Gi{si) © Gi{s2) for exactly one Rb chosen 
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by the other player. The probabihty for the existence of such a pair is at most 22"/23" = 2"". 
It fohows that the committer can reveal only one possible a, except with probability less than 
2~", which satisfies statistical binding. 



7.2 Extended Construction for Mixed Commitments 

We will, also in the context of a single coin-flip, need an extended construction, which is 



similar to the extension of Section 4.1.4 but adapted to the case of an underlying commit- 
ment from A to B with flavors unconditionally binding and quantum- computationally hiding. 
We again aim at providing the respective simulator with a trapdoor for either extraction to 



efficiently simulate in case of A' or equivocability to avoid rewinding B'. As in Section 4.1.4 
we require a S-protocol for a (quantumly) hard relation TZ = {{x,w)} with conversations 
(a^,c^,z^). Furthermore, we will also use the keyed dual-mode commitment scheme de- 



scribed in Section 4.1.2 based on the multi-bit version of PVW08 with keys pkH and pkB, 

q 

where it holds that pkH ~ pkB. 

In the real protocol, the common reference string consists of commitment key pkB and an 
instance x' for which it holds that $ w' such that (x', w') £ TZ, where we assume that x ^ x' . 
To commit to bit a, A runs the honest-verifier simulator to get a conversation (a^,a, z^). 
She then sends aj and two commitments Cq,Ci to B, where Ca = commit (z^, r^) and 
Ci-a = commit (0^ , ri_a) with randomness ra,ri_a and z' = |z^|. Then, (a, (z^,ra)) 
is send to open the relevant commitment Ca, and B checks that (a^,a, z^) is an accept- 
ing conversation. Assuming that the S-protocol is honest-verifier zero-knowledge and pkB 
leads to unconditionally binding commitments, the new commitment construction is again 
unconditionally binding. 

During simulation, A' chooses a pkB such that it knows the matching decryption key sk. 
Then, it can extract A"s choice bit a by decrypting both Cq and Ci and checking which 
contains a valid z^. Again, not both Cq and Ci can contain a valid reply, since otherwise. A' 
would know a w' such that {x' ,w') G TZ. In order to simulate in case of B', B' chooses pkH 
and X. Hence, the commitment is unconditionally hiding in this simulation. Furthermore, 
it can be equivocated, since now 3 w with {x,w) € TZ and therefore, Co,Ci can both be 
computed with valid replies, i.e. Cq = commit p^n (z^Oi ^o) and Ci = commit p^n (z^i, ri) . 
Quantum-computational security against B' follows from the indistinguishability of the keys 
pkB and pkH and the indistinguishability of the instances x and x' , and efficiency of both 
simulations is ensured, due to extraction and equivocability. 



7.3 Trapdoor Opening for Mixed Commitments 

The typical notion of mixed commitment schemes is stronger than we require for our basic 
construction of mixed commitments, namely, it postulates trapdoors for both extraction and 
equivocability. As previously discussed, it suffices in our basic construction to only rely on 
an extraction trapdoor. This aspect is very convenient, since it allows us to weaken the 
assumption on its underlying construction, i.e., we can build it from a public- key crypto- 
system with regular keys pk and sk as binding commitment key and extraction key, and 
require only an indistinguishable hiding key, generated as a random string in the key space. 
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This, in turn, offers the possibihty of generating the hiding key solely by a precedent interac- 
tive coin- flipping procedure without any set-up assumptions. For a more advanced usage of 
commitments as in our strong coin-flipping notion in Chapter [oj however, we have (in some 
sense) the requirement of equivocability. We want to maintain the interactive generation of 
the key at any rate, which means that we do not have enough control of its generation and 
even less control to equip it with a trapdoor (as done in Sections 4.1.4 and 7.2). 

We therefore develop a special notion of trapdoor opening, where the ability to do a 
trapdoor opening is not associated to a special knowledge of the hiding key, but is rather 
done by cheating in the opening phase. Specifically, we do the opening not by sending the 
plaintext and the randomness, committed to in the first phase but instead by sending only 
the plaintext and then doing an interactive proof that this plaintext is indeed what was 
committed to. The ability to do trapdoor openings will then be associated with being able 
to control the challenge in the interactive proof. We will get this control by using a weak 
coin-flipping protocol as sub-protocol. This will be one of the essential steps in bootstrapping 
fully simulatable strong coin-flipping from weak coin-flipping. 

As before, we denote the mixed string commitment scheme of Section 4.1 by commitpfc. 
Let K be the security parameter defining the key space {0, 1}'^ and let a be the secondary 
security parameter controlling the soundness error in the interactive proof, which we want to 
be negligible in a when commitp^. is unconditionally binding. We equate the plaintext space 
{0, lY of conunitpfc with the Galois field F = F2K. The new extended commitment scheme, 
equipped with the possibility to do trapdoor openings, is denoted by COMMITpfc. We assume 
its plaintext space to be and denote by sss a secret sharing scheme over F. 

Given message m = (mi, . . . , mg-) G F"^ and randomizer s = (si, . . . , Sa) G F°", let fm,s(X) 
denote the unique polynomial of degree 2a — 1, for which fm,s{—'i + 1) = for i = 1, . . . , a 
and fm,s{i) = Sj for i = 1, . . . , o". Furthermore, we "fill up" positions i = a -|- 1, . . . , S, where 
S = 4cr, by letting Si = fm,s{i)- The shares are now s = (si, . . . , ss). The new commitment 



scheme COMMITpfc is described in Figure 7.1 



We stress two simple facts about this scheme. First, for any message m E F'^ and any 
subset S C {1, . . . , S} of size IS*! = a, the shares s\s are uniformly random in F*^, when 
S is chosen uniformly at random in F"" and independent of m. This aspect is trivial for 
S = {1, . . . , cr}, as we defined it that way, and it extends to the other subsets using Lagrange 
interpolation. And second, if m},m? G F"" are two distinct messages, then sss{m};s^) 
and sss(m^;s^) have Hamming distance at least S — 2a. Again, this follows by Lagrange 
interpolation, since the polynomial f^i si(X) has degree at most 2a" — 1, and hence, can be 
computed from any 2a shares Si using Lagrange interpolation. The same holds for ,,2(X). 
Thus, if 2a shares are the same, then /^i gi (X) and /„2 ^2 (X) are the same, which implies 
that the messages m} = fm^ ^s^{-(t + 1), . . . ,/mi,gi(0) and = /„2^g2(-CT + l), . . . ,/m2^g2(0) 
are the same. 

First note that if the underlying commitment commitpfc is unconditionally hiding, then 
so is COMMITpfc. In the following, we investigate the extraction property of COMMITpfc, under 
the assumption that we work in the unconditionally binding mode of commitpfc. Given any 
commitment M = (Mi, . . . , Ms) , we extract 

(xtrsfc(Mi), . . . , xtrsfc(Ms)) = (si, . . . , ss) = s . 

Assume s' = (s'^, . . . ,s'y) is the consistent sharing closest to s. That means that s' is the 
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Commitment Scheme COMMlTpfe: 
Commitment Phase: 

1. Let message m G F"' be the message to get committed to. The commit- 
ter samples uniformly random s G and computes the shares sss(m;s) = 

(si, . . . , ss), where Sj G F. 

2. He computes COMMITpfc (rn, (s, r)) = (Mi, . . . jM^). In more detail, for i = 

the committer computes Mi = commit (s^, rj) with shares s = 
(si, . . . , ss) and randomness r = (ri, . . . , rs)- 

3. The committer sends (Mi, . . . , Ms). 

Opening Phase: 

1. The committer sends the shares s = (si, . . . , ss) to the receiver. 

2. If the shares are not consistent with a polynomial of degree at most 2a — 1, 
the receiver aborts. Otherwise, he picks a uniformly random subset S C 
{1, . . . , S} of size l^l = cr and sends S to the committer. 

3. The committer sends r\s- 

4. The receiver verifies that Mj = commit (sj, rj) for all i e S. li the test fails, 
he aborts. Otherwise, he computes the message m G F°' consistent with s. 



Figure 7.1: The Commitment Scheme COMMITpjt. 



92 



CHAPTER 7. INTRODUCTION 



vector which is consistent with a polynomial fm',s'i^) of degree at most 2a — 1 and which at 
the same time differs from s in the fewest positions. Note that we can find s' in poly-time 
when using a Reed Solomon code, which has efficient minimal distance decoding. We then 
interpolate this polynomial /m',s'(X), let m' = fm',s'{—o' + 1), . . . , fm',s'{0), and define m' to 
be the message committed to by COMMITpfc. Any other sharing s" = (s", . . . , s'^) must have 
Hamming distance at least 2a to s' . Now, since s is closer to s' than to any other consistent 
sharing, it must, in particular, be closer to s' then to s" . This implies that s is at distance 
at least a to s" . 

We will use this observation for proving soundness of the opening phase. To determine 
the soundness error, assume that COMMITpfc does not open to the shares s' consistent with s. 
As observed, this implies that (xtrsfc(Mi), . . . ,xtr5fc(Ms)) has Hamming distance at least 
a to s' . However, when commitpfc is unconditionally binding, all Mj can only be opened to 
xtrsfc(Mj). From the above two facts, we have that there are at least a values z G {1, . . . , S} 
such that the receiver cannot open Mj to Si for i £ S. Since T, = Aa, these a bad indices 
(bad for a dishonest sender) account for a fraction of ^ of all points in {1, . . . , S}. Thus, the 
probability that none of the a points in 5 is a bad index is at most (|)'^, which is negligible. 
Lemma 17.11 follows. 



Lemma 7.1 Ifpk is unconditionally binding, then the probability that an unbounded cheating 

committer can open M = CDMMITpfc (m, (s,r)) to a plaintext different from xtrsfc(M) is at 

'3 
^4 



most (1)'^, assuming that the challenge S is picked uniformly at random and independent of 



M. 

In the context of simulation, we will use the challenge S as the simulators trapdoor, 
allowing him to equivocally open his commitments. In such a simulation, the ideal-world 
adversary S can — by means discussed later — enforce a specific challenge, i.e., it is guaranteed 
that this will be the challenge in the opening phase. Thus, for simplicity, we assume here 



that it simply gets a fixed challenge S as input. The simulation is described in Figure 7.2 
Lemma [7 . 2 1 follows via a hybrid argument, which relies on the quantum-computational indis- 
tinguishability in switching unconditionally binding and unconditionally hiding commitment 
keys. We omit a proof here but refer to Chapter [9j where the construction will be explicitly 
proven within its outer construction. 

Lemma 7.2 If fh = m, then the transcript of the protocol is identical to that of an honest 
commitment to m, followed by an honest opening phase to m, and run with a uniformly 
random challenge S. 

Iffh 7^ m, then the transcript of the protocol is quantum- computationally indistinguishable 
to that of an honest commitment to fh, followed by an honest opening phase to fh, and run 
with a uniformly random challenge S. 



Simulating COMMlTpfe with Trapdoor S: 

1. S gets as input a uniformly random subset S C {1, . . . , S} of size a and an initial 
message m eW^. 

2. S commits honestly to m G F*^ by M = COMMIT gj. (m, , as specified in the 
commitment phase. 

3. S is given an alternative message m G F^, i.e., the aim is opening M to rh. 

4. S lets s\s be the a messages committed to by M\s. Then it interpolates the unique 

polynomial fm^s of degree at most 2a — 1 for which frh,s{i) = for i G S and for 
which frh.si^i + 1) = "T-j for i = I, . . . , a. Note that this is possible, as we have ex- 
actly 2a points which restrict our choice of fm,s- S sends s = (/^^^(l), . . . , /^,s(S)) 
to the receiver. 

5. The receiver sends the challenge S. 

6. For all i £ S, the sender opens Mj to fm,s{i)- This is possible, since frh,s{i) = Si is 
exactly the message committed to by Mj when i G S. 



Figure 7.2: The Ideal- World Simulation of COMMITpfe. 
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Quantum-Secure Coin-Flipping 



Coin-flipping is introduced in Section 2.4.4 and allows two parties to agree on a uniformly 
random bit in a fair way. Security for both parties follows, if neither party can influence the 
value of the coin to his advantage. Thus, it enables the parties to interactively generate true 



randomness from scratch. The chapter is based on parts of DL09 

8.1 Motivation and Related Work 



We are interested in the standard coin- flipping protocol Blu81 with classical message ex- 
change but we here assume that the adversary is capable of quantum computing. As already 
mentioned, bit commitment implies a secure coin-flipping, but even when basing the em- 
bedded commitment on a computational assumption that withstands quantum attacks, the 
security proof of the entire coin-flipping (and its integration into other applications) could 
previously not be translated from the classical to the quantum world. 

Typically, security against a classical adversary is argued in such a context by rewinding 
the adversary in a simulation. Recall that, in general, rewinding as a proof technique cannot 



be directly applied in the quantum world. Based on a recent result of Watrous Wat09| , 
which originally allowed to prove unconditionally that quantum zero-knowledge of certain 
interactive proofs is possible and that the classical definitions can be translated into the 
quantum world, we show the most natural and direct quantum analogue of the classical 
security proof for standard coin-flipping. 

We want to mention an alternative approach, which was independently investigated but 



never published Smi09|. They propose a classical protocol for zero- knowledge proofs of 



knowledge secure against quantum adversaries. The protocol consists of a commitment 
phase and two zero- knowledge proofs. Instead of opening the commitment, the committer 
claims the value of the committed coins and gives the first zero-knowledge proof that the 
claim is correct. To simulate this zero-knowledge proof, Watrous' technique is used. Note 
that this approach allows for flipping a string of coins in the commitments, and thus, arrives 
at a coin-flipping protocol with round complexity independent of the length of the flipped 
string at first. However, the required zero-knowledge proof has round complexity depending 
on the security parameter, i.e. how many proofs must be completed to achieve a negligible 
soundness error. Finally, the coin-string is used as key to encode the witness and the second 
zero-knowledge proof is given that this statement is actually true. As encryption scheme, 
they suggest a scheme with similar properties as in our mixed commitment constructions — 
but at least to our best knowledge, the question of its actual secure implementation was left 
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Protocol COIN: 

1. A chooses a G/j {0, 1} and computes commit (a, r) . She sends commit (a, r) to B. 

2. B chooses b G/j {0, 1} and sends b to A. 

3. A sends open (a, r) and B checks if the openmg is vahd. 

4. Both compute coin = a © 6. 



Figure 8.1: The Coin-Fhpping Protocol. 



Functionality -Fcdin : 

Upon receiving requests start from Ahce and Bob, -Fcdin outputs uniformly random 
coin to Alice. It then waits to receive Alice's second input T or _L and outputs coin or 
_L to Bob, respectively. 



Figure 8.2: The Ideal Functionality for a Coin-Flip. 

open. 

We stress that we aim at establishing coin-flipping as a stand-alone tool that can be used 
in several contexts and different generic constructions. Some example applications thereof 



are discussed in Chapter [I0| including an independently proposed zero-knowledge proof of 
knowledge. In order to include coin-flipping securely in other applications, we conclude this 
chapter by proving the basic construction secure under sequential composition and propose 
an extended construction for general composability. 



8.2 The Protocol 



The standard coin-flipping protocol COIN is shown in Figure 8.1, allowing players A and 
B to interactively generate a random and fair coin in one execution without any set-up 
requirements. As underlying commitment scheme, we use the unconditionally binding and 



quantum- computationally hiding scheme described in Section [73] with security parameter n. 
We will use its simpler notation here, namely commit (a, r) with input a S {0, 1}, randomness 
r € i and output in {0, 1}*. To indicate the opening phase, where A sends a and r, we will 
write open (a, r) . The corresponding ideal coin-flipping functionality J-cqin is depicted in 



Figure 8.2 Note that dishonest A' may refuse to open commit (a, r) in the real world after 
learning B's input. For this case, -Fcoin allows her a second input _L, modeling the abort of 
the protocol. 

Proposition 8.1 Protocol COIN satisfies correctness, according to Definition [X 

Correctness is obvious by inspection of the protocol: If both players are honest, they 
independently choose random bits a and b. These bits are then combined via exclusive 
disjunction, resulting in a uniformly random coin. 



8.2. THE PROTOCOL 



97 



Simulation A' : 

1. Upon receiving conunit (a, r) from A', A' sends start and then T to J-coin as first 
and second input, respectively, and receives a uniformly random coin. 

2. A' computes a and r from commit (a, r) . 

3. A' computes b = coin © a and sends b to A'. 

4. A' waits to receive A"s last message and outputs whatever A' outputs. 

Figure 8.3: The Ideal- World Simulation against dishonest Alice. 



Theorem 8.1 Protocol COIN is unconditionally secure against any unbounded dishonest Al- 
ice according to Definition 3^, provided that the underlying commitment scheme is uncon- 
ditionally binding. 



Proof. We construct an ideal- world adversary A', such that the real output of the protocol 
is statistically indistinguishable from the ideal output produced by A', J^cam and A'. The 



ideal-world simulation is depicted in Figure 8.3 



First note that a, r and commit (a, r) are chosen and computed as in the real protocol. 
From the statistically binding property of the commitment scheme, it follows that A"s choice 
bit a is uniquely determined from commit (a, r) = c, since for any c, there exists at most 
one pair (a, r) such that c = commit (o, r) , except with probability negligible in the security 
parameter n. Hence in the real world, A' is unconditionally bound to her bit before she learns 
B's choice bit, which means a is independent of b. Therefore in Step ([2j), the simulator can 
correctly (but not necessarily efficiently) compute o (and r). Note that, in the case of 
unconditional security, we do not have to require the simulation to be efficient. However, 



we show in Section 8.3.2 how to extend the underlying commitment in order to extract A"s 
inputs. This extraction requires a extraction trapdoor and yields an efficient simulation in 
the CRS-model. Finally, due to the properties of XOR, A' cannot tell the difference between 
the random b computed from the ideal, random coin in the simulation in Step (|3j) and the 
randomly chosen b of the real world. It follows that the simulated output is statistically 
indistinguishable from the output in the real protocol. ■ 

To prove security against any dishonest quantum-computationally bounded B', we will 



follow the lines of argument as in Section 3.6.3, in particular Definition 3.7 with slight 



modifications. More specifically, we do not require a common reference string, so we can 
omit this part of the definition. Thus, we show that there exists an ideal-world simulation 
B' with output quantum-computationally indistinguishable from the output of the protocol 
in the real world. For the ideal world, we consider the poly-size input sampler, which takes 
as input only the security parameter and produces a valid input state puzv = Pu-<^z-^V' as 



specified in Section 3.6.3 



In a simulation against a classical adversary, a classical poly-time simulator would work 
as follows. It inquires coin from -Fcdin, chooses random a and r, and computes b' = coin© a 
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as well as commit (o, r) . It then sends commit (o,r) to B' and receives B"s choice bit b. 
If 6 = b' , the simulation was successful. Otherwise, the simulator rewinds B' and repeats 
the simulation. For a security proof against any quantum adversary, we construct a poly- 
time quantum simulator proceeding similarly to its classical analogue. However, it requires 
quantum registers as work space and relies on Watrous' quantum rewinding lemma (see 



Lemma 3.2). Recall from Section 3.5.2 that Watrous constructs the quantum simulator 
for a S-protocol, i.e. a protocol in three-move form, where the verifier flips a single coin 
in the second step and sends this challenge to the prover. Since these are the essential 
aspects also in our protocol COIN, we can apply Watrous' quantum rewinding technique 
(with slight modifications) as a black-box to our protocol. We also follow his notation and 



line of argument here. For a more detailed description and proofs, we refer to Wat09 and 
Section 13.5.21 

Theorem 8.2 For po > j, protocol COIN is quantum- computationally secure against any 



poly-time bounded dishonest Bob (according to Definition 3.7 but with the modification de- 
scribed above), provided that the underlying commitment scheme is quantum- computationally 
hiding. 

Proof. Let {ip) denote B"s n-qubit auxiliary input. Let W denote B''s auxiliary input 
register, containing Let V and B denote B"s work space, where V is an arbitrary 

polynomial-size register and i? is a single qubit register. A's classical messages are considered 
in the following as being stored in quantum registers Ai and A2. In addition, the quantum 
simulator uses registers R, containing all possible choices of a classical simulator, and G, 
representing its guess b' on B"s message b in the second step. Finally, let X denote a working 
register of size k, which is initialized to the state \0^) and corresponds to the collection of all 
registers as described above except W. 

The quantum rewinding procedure is implemented by a general quantum circuit -Rcoin 
with input {W, X , B' , coin) . As a first step, it applies a unitary (n, fc)-quantum circuit Q 
to {W,X) to simulate the conversation, obtaining registers {G,Y). Then, a test takes place 
to observe whether the simulation was successful. In that case, -Rcoin outputs the resulting 
quantum register. Otherwise, it quantumly rewinds by applying the reverse circuit Q'^ on 
(G, Y) to retrieve {W, X) and then a phase-flip transformation on X before another iteration 



of Q is applied. Note that i?coin is essentially the same circuit as R described in Wat09 



(and Section 3.5.2), but in our application it depends on the value of a given coin, i.e., we 



apply i?o or Ri for coin = or coin = 1, respectively. 

In more detail, Q transforms {W^ X) to (G, Y) by the following unitary operations: 

(1.) It constructs a superposition over all possible random choices of values in the real 
protocol, i.e.. 



^ X] I"' ^Icommit (a, r) )^J6' = coin a)g|open (a, r) |0) ^ 



'2^ 



0^ I \vy/]y, 



where k* < k. Note that the state of registers [Ai,G, A2) corresponds to a uniform 
distribution of possible transcripts of the interaction between the players. 
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(2.) For each possible commit (a, r) , it simulates B"s possible actions by applying a unitary 
operator to (W,V,B,Ai^ with register Ai as control, i.e., 

^ X] I"' ^) ^Icommit (a, r) )^j6')^|open (a, r) )^Jb) ^ 



a,r 



■w 



where (j) and tp describe modified quantum states. Note that register B now includes 
B"s reply b. 

(3.) Finally, a CNOT-operation is applied to pair (i?, G) with B as control to check whether 
the simulator's guess of B"s choice was correct. The result of the CNOT-operation is 
stored in register G. 

hrf I"' '^)i?|commit (a, r) )^J6' 6)^|open (a, r) )^Jb) ^ 



a,r 



'W 



Note that the qubit in register G gives the information about success or failure of the sim- 
ulated run, and the other registers are combined in the residual n + k — 1-qubit register 
Y. 

Since the commitment scheme in the protocol is only quantum-computationally hiding, 
we must allow for small perturbations in the quantum rewinding procedure, according to 
Lemma [3. 2| : Bound e indicates B"s advantage over a random guess on the committed value 
with q = 1/2 (and therefore, his advantage to bias the outcome), due to his computing power, 
i.e. e = \p — 1/2|. From the hiding property of the commitment scheme, it follows that e 
is negligible in the security parameter n. Thus, we can argue that probability p is close to 
independent of the auxiliary input. As a lower bound on the success probability, we chose 
Po ^ 1/4, which matches our setting. 

Thu s, w e have circuit Q as described above and our setting achieves the given bounds. 

applies. We can now construct an ideal- world quantum simulator B' (see Fig- 



Lemma 
ure 



3.2 



8.4), interacting with B' and the ideal functionality J^cam and executing Watrous' quan- 
tum rewinding algorithm. We then compare the output states of the real process and the 
ideal process. In case of indistinguishable outputs, quantum-computational security against 
B' follows. 

First note that the superposition constructed as described above in circuit Q in Step (1.) 
corresponds to all possible random choices of values in the real protocol. Furthermore, 
the circuit models any possible strategy of quantum B' in Step (2.), depending on control 
register |commit (a, r) )^ . The CNOT-operation on {B, G) in Step (3.), followed by a standard 
measurement of G, indicate whether the guess b' on B"s choice b was correct. If that was 
not the case (i.e. b ^ b' and measurement result 1), the system gets quantumly rewound by 
applying reverse transformations (3)-(l), followed by a phase-flip operation. The procedure 
is repeated until the measurement outcome is and hence b = b' . Watrous' technique then 
guarantees that, for negligible advantage e and a lower bound po > e' is negligible. Thus, 
the final output of the simulation is close to the "good" state of a successful simulation. 
More specifically, the output /o('0) of Rcoin has square-fidelity close to 1 with state |0good(V')) 
of a successful simulation, i.e. 

{(t}good{'>P)\p{'^)\(kgood{'il^)) > 1 " e' , 
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Simulation B' : 

1. B' gets B"s auxiliary quantum input W and working registers X. 

2. B' sends start and then T to -Fcoin- It receives a uniformly random coin. 

3. Depending on the value of coin, B' applies the corresponding circuit i?coin with 
input W, X, B' and coin. 

4. B' receives output register Y with \(j)goodi'4')) and "measures the conversation" to 
retrieve the corresponding (commit (a, r) , 6, open (a, r) ) . It outputs whatever B' 
outputs. 



Figure 8.4: The Ideal- World Simulation against dishonest Bob. 

where e' = 16 e log^(l/e) / {p^ (1 —po)"^)- Last, note that all operations in Q (and therewith in 
Rcoin) can be performed by polynomial-size circuits, and thus, the simulator has polynomial 
size (in the worst case) . It follows that the output of the ideal simulation is indistinguishable 
from the output in the real world for any quantum-computationally bounded B'. ■ 



8.3 Composability 

As already discussed in the previous part, there are several composition frameworks proposed 
for the quantum setting, but for sequential composition we will argue along the lines of our 



security framework (Section 8.3.1). In Section 8.3.2 we will use an extend commitment 
construction to achieve a more general composability in the CRS-model. Note that only 
sequential composition allows us to do coin-flipping from scratch. 

8.3.1 Sequential Composition 

Recall that we prove correctness and security for our single coin-flip according to the security 



framework as described in Section 3.6, with the one modification that we do not assume 



a common reference string in the simulation against a dishonest Bob (see Theorem 



8.2 



3.3 



However, we can still apply the Composition Theorems I and II (Theorems 3.2 and 
where we also omit the reference string in the latter. We will state the composition resu 
explicitly here. 

Corollary 8.1 Let vTj = n^°™ and Ti = /"cdin; o.'^d let J]'^^"''^* he a classical two-party 
hybrid protocol which makes at most £ = poly{n) calls to the functionalities. Then, for every 
i G {1, . . . each protocol iTi is a statistically secure implementation of J^i against 21 and 
a computationally secure implementation of Fi against QSpoiy. 
It holds that there exists an ideal-world adversary A' e 2t such that 

7^ 1 ■ ■ ■ Ti"^ s V J'l ■ ■ ■ 

OUtf^, Q ~ out^, g, , 
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Functionality J>_coin : 

1. Upon receiving requests start from both Alice and Bob, J^^-coin outputs uniformly 
random /i {0, 1}^ to Alice. 

2. It then waits to receive her second input T or _L and outputs /i or _L to Bob, 
respectively. 

Figure 8.5: The Ideal Functionality for Sequential £-bit Coin-Flipping. 

and an ideal-world adversary B' G ^Spoiy such that for every efficient input sampler, we have 

OUtf, Q, W '^^^A.B' 

The ideal functionality for sequential coin- flipping, i.e. J-g-com = T,-^^'"-^^, is depicted in 



Figure 8.5 Note that J-'^-coin is in fact derived from composing the functionality J"coin of 
a single coin-flip sequentially but interpreted more directly, e.g. it does not output the bits 
one after another but as a string, and thus, does not output the precedent coins in case of 
an intermediate abort. 

8.3.2 General Composition 

For our coin-flipping protocol without set-up, we cannot claim universal composability. We 
do not require (nor obtain) an efficient simulator in case of unconditional security against 
dishonest Alice and furthermore, we allow rewinding in case of dishonest Bob. These two 
aspects contradict the universal composability framework. 

Efficient simulation requires some trapdoor information in the commitment construction, 
which is available only to a simulator, so that it is able to extract dishonest Alice's choice bit 
efficiently. Therefore, we have to extend the commitment scheme by including an extraction 
trapdoor. To circumvent the necessity of rewinding dishonest Bob, we further extend the 
scheme with respect to equivocability, i.e., the simulator can now construct a valid com- 
mitment, which can later be opened to both bit values as desired. Note that with such 
requirements, the CRS-model seems unavoidable. 



An appropriate extended construction is proposed in Section |7.2[ The real-world key 
consists of commitment key pkB and (invalid) instance x' . During simulation against A', A' 
chooses pkB with matching decryption key sk and therefore, it can extract A"s choice bit a 
by decrypting both commitments Cq and Ci. In both worlds, the commitment is uncondi- 
tionally binding. During simulation against B', B' chooses commitment key pkH and (valid) 
instance x. Hence, the commitment is unconditionally hiding and can be equivocated by 
using w to compute two valid replies in the underlying S-protocol. Quantum-computational 
security in real life follows from the indistinguishability of the keys pkB and pkH and the 
indistinguishability of the instances x and x' , and efficiency of both simulations is ensured 
due to extraction and equivocability. 

Again, by combining our extended construction in the CRS-model providing efficient 



simulations on both sides with the results of Section 7.2 and [UnrlO Theorem 20], we get 
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CHAPTER 8. QUANTUM-SECURE COIN-FLIPPING 



the following result that n^°™ computationally quantum-UC- emulates its corresponding ideal 
functionality /"coin for both dishonest players. In the next Chapter [9j we will show another 
method of achieving fully simulatability in the plain model without any set-up assumption, 
when both players are poly-time bounded. 



Pi 
o 



Amplification Ftamework for 
Strong Coins 



Here, we present a framework that amplifies weak security requirements on coins into very 
strong properties, with the final result of a quantum-secure and fully simulatable coin-flipping 
protocol, which can be implemented in the plain model from scratch. The results in this 



chapter are joint work with Nielsen LNlOl 



9.1 Motivation 



Coin-Flipping of a single coin is in itself an intriguing and prolific primitive in cryptographic 
protocol theory. Its full potential is tapped in the possibility of flipping a string of coins, which 
opens up for various applications and implementations without any set-up assumptions. We 
will later in Chapter [To] discuss some examples thereof. 

In this chapter, we first investigate the different degrees of security that a string of 
coins can acquire. Then, we propose and prove constructions that allow us to amplify the 
respective degrees of security such that weaker coins are converted into very strong ones in 
a straightforward wayj^ Our method only assumes mixed commitment schemes, which we 
know how to construct with quantum security, no other assumptions are put forward. Our 
final result is a coin-flipping protocol, which is fully simulatable in polynomial time, even 
against poly-sized quantum adversaries on both sides, and which can be implemented with 
quantum-computational security in the plain model from scratch. 

Our method of amplifying the security of coin-flipping also applies to potential constant 
round coin-flipping. Such a strong and efficient construction would require a basic quantum- 
secure coin- flip protocol with long outcomes (in constant round), and poly-time simulatability 
on one side. Its construction, however, is still a fascinating open problem in the quantum 
world. 



^For the sake of clarity, we note that we use the (intuitive) literal interpretation of "weak" and "strong" 
coins related to their degrees of security, which differs from their definitions in the quantum literature (see 
also Section |2.4.4 1. 
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9.2 Security Notions 

We denote a generic protocol with a A-bit coin-string as output by 11^ corresponding to 

an ideal functionality -Fa-coin- Recall that the outcome of such a protocol is c G {0, 1}^U{_L}, 
i.e., either an A-bit string or an error message We will use several security parameters, 
indicating the length of coin-strings for different purposes. The length of a coin- flip yielding 
a key and a challenge are denoted by k and a, respectively, and the length of a final coin-flip 
is indicated by i, i.e., we allow that A is a function of the respective parameter, e.g. A(k), 
but we write k instead. 

Throughout this chapter, we restrict both players Alice and Bob to the families Stpoiy and 
5Spoiy of classical polynomial-time strategies, i.e. for the honest case, we require A, A G Stpoiy 
and B, B G 5Spoiy, as well as for possibly quantum dishonest entities, we demand A', A' G Slpoiy 
and B', B' G ^Bpoiy. We want to stress here that, in contrast to previous chapters, both 
players are poly-time bounded. This means, in particular, that the ideal functionality is 
defined symmetric such that always the respective dishonest party has an option to abort. 
For clarity, we will explicitly show the ideal functionalities in the case of both players being 



honest (Figure 9.1) and in the case of dishonest Alice and honest Bob (Figure 9.2). The 
latter then also applies to honest Alice and dishonest Bob by simply switching sides and 
names. 



Functionality Ja-cdin with honest players: 

Upon receiving requests start from both Alice and Bob, J^a-coin outputs uniformly 
random /i G_r {0, 1}^ to Alice and Bob. 



Figure 9.1: The Ideal Functionality for A-bit Coin-Flipping (without Corruption). 



Functionality Ja-cqin with dishonest Alice: 

1. Upon receiving requests start from both Alice and Bob, -Fa-cqin outputs uni- 
formly random h G/j {0,1}'^ to Alice. 

2. It then waits to receive her second input T or _L and outputs /i or _L to Bob, 
respectively. 



Figure 9.2: The Ideal Functionality for A-bit Coin-Flipping (with Corruption). 

Recall that the joint output representation of a protocol execution is denoted by out^ g 
with n = g''^"'"" and given here for the case of honest players. The same notation with 



t^. 

A,E 

ideal functionality J-x-com and output whatever they obtain from it. We need an additional 



T = Tx^caiN and A, B applies in the ideal world as out-^ where the players invoke the 

A,B 



^We want to stress that throughout the chapter, a reference to any coin-flip is understood as one run of 
coin-flipping with a coin-string outcome. 
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notation here, describing the outcome of a protocol run between e.g. honest A and B, namely 

ttA-CDIN 

We will define three flavors of security for coin-flipping protocols, namely uncontrollable 
(uncont), random and enforceable (force). The two sides can have different flavors. Then, if 
a protocol n^g''°^^ is, for instance, enforceable against Alice and random against Bob, we 
write 7i-{f°^<^«.'^an<i°"')^ and similarly for the eight other combinations of security. Note that 
for simplicity of notation, we will then omit the indexed name as well as the length of the 
coin, as they are clear from the context. Similar to the ideal functionality for the case of 
dishonest Alice, we define all three flavors for Alice's side only, as the definitions for Bob are 
analogue. The flavors are defined along the lines of the security framework introduced in 



Section 3.6 but with adaptions to reflect the particular context here. Recall that U' , Z, and 
V denote dishonest Alice's quantum and classical input, and honest Bob's classical input, 
respectively. Note that an honest player's input is empty but models the invocation start. 
Any input state pu'zv is restricted to pu'zv = Pu'^z^v^ such that Alice's quantum and 
Bob's classical part are only correlated via Alice's classical Z. We assume again a poly-size 
input sampler, which takes as input the security parameter, and then produces a valid input 
state PU'ZV = Pu'^z-^v (and analogous puzv in case of dishonest Bob). 

We stress that we require for all three security flavors and for all c G {0, 1}^ that 

Pr [c ^ n^-'"'"] = 2-^ , 

which implies that when both parties are honest, then the coin is unbiased. Below we only 
define the extra properties required for each of the three flavors. 



We call a coin-flip uncontrollable against Alice, if she cannot force the coin to hit some 
negligible subset, except with negligible probability. 

Definition 9.1 (Uncontrollability against dislionest Alice) We say that the protocol 
g'"'^"""" implements an uncontrollable coin-flip against dishonest Alice, if it holds for any 
poly-sized adversary A' G Stpoiy with inputs as specified above and all negligible subsets Q C 
{0, 1}'*' that the probability 

Pr [c ^ n^rB°™ : c G Q] G negl (k) . 
Note that we denote by Q C {0, 1}^ a family of subsets {Q{k) C {0, 1}^('')}k6n 

for security 

parameter k. Then we call Q negligible, if \Q{k,)\2~^^'^^ is negligible in k. In other words, we 
call a subset negligible if it contains a negligible fraction of the elements in the set in which 
it lives. 



We call a coin- flip random against Alice, if she cannot enforce a non- uniformly random 
output string in {0, 1}''*, except by making the protocol fail on some chosen runs. That means 
she can at most lower the probability of certain output strings compared to the uniform case. 



Definition 9.2 (Randomness against dishonest Alice) We say that protocol g ™ 
implements a random coin-flip against dishonest Alice, if it holds for any poly-sized ad- 
versary A' G Slpoiy with inputs as specified above that there exists an event E such that 
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Pr [E] S negl (k) and for all x G {0, 1}''* it holds that 

Pr [c ^ n^,;!"" : c = x\E]<2~\ 

It is obvious that if a coin-flip is random against Alice, then it is also an uncontrollable coin- 
flip against her. We will later discuss a generic transformation going in the other direction 
from uncontrollable to random coin-flipping. 

We call a coin- flip enforceable against Alice, if it is possible, given a uniformly random c, 
to simulate a run of the protocol hitting exactly the outcome c, though we still allow that 
the corrupted party forces abort on some outcomes. 

Definition 9.3 (Enforceability against dishonest Alice) We call a protocol 
enforceable against dishonest Alice, if it implements the ideal functionality T\-com against 
her. 

In more detail, that means that for any poly-sized adversary A' G 2tpoiy, there exists an 
ideal-world adversary A' G Slpoiy that simulates the protocol with A' as follows. A' requests 
output h G {0, 1}^ from J-a-coin- Then it simulates a run of the coin-flipping protocol with 
A' and tries to enforced output h. If A' succeeds, it inputs T as A"s second input to -Fa-coin- 
In that case, J^a-coin outputs h. Otherwise, A' inputs _L to J^a-coin as second input and 
-^A-CQiN outputs _L. The simulation is such that the ideal output is quantum-computationally 
indistinguishable from the output of an actual run of the protocol, i.e., 

out^, B & out^,^^ , 

where U = U^r^™ and J" = -Fa-cdin- 

Note that an enforceable coin-flip is not necessarily a random coin-flip, as it is allowed 
that the outcome of an enforceable coin-flip is only quantum-computationally indistinguish- 
able from uniformly random, whereas a random coin-flip is required to produce truly random 
outcomes on the non-aborting runs. 



We defined an enforceable coin- flip against dishonest Alice to be a coin- flip, simulatable 
on her side and implementing the corresponding ideal functionality against her. The same 
result with switched sides also holds for any poly-time bounded Bob. Thus, we obtain a 



coin- flip protocol, for which we can simulate both sides in polynomial time. Corollary 9.1 
follows. 

Corollary 9.1 Let Il^g^^"'"'* be an enforceable coin-flip against both parties Alice and Bob 

with A G Stpoly and B G 5Spoly, i.e. n^"*^"" = -jrifo-rcejorce) ^ j,^^^ ^{Jorce, force) ^ f^iiy 

poly-time simulatable coin-flipping protocol for the ideal functionality Tx-caw with quantum- 
computational indistinguishability between the real and the ideal output. 

Combining the part regarding simulat ability in Corollary |8.1[ where we again omit the 



common reference string, in contrast to the original Composition Theorem II (Theorem 3.3), 



with the results of Corollary 9.1 , we can show that each protocol computa- 
tionally secure implementation of -Fa-coin against both Slpoiy and ^Bpoiy 

Corollary 9.2 Protocol TrC/"'"^^./'"^^^) composes sequentially. 
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9.3 Amplification Theorems 

We now propose and prove theorems, which ahow us to amphfy the security strength of 
coins. Ultimately, we aim at constructing a strong coin-flipping protocol with 
outcomes of any polynomial length ^ in A from any weaker coin-flip protocol, i.e., either 



from a protocol 7]-(f°'^'=s.r^<iom) producing one-bit outcomes (Section 9.3.1 ), or from a protocol 



^(force,uncont) gjying outcomcs of length K, as described in Section 9.3.2 In both cases, the 



first step towards 'jiii°^'=^<i°^^^) [g to build a protocol with outcomes of length 

£. 

We want to stress that if the underlying protocol already produces ^-bit outcomes and 
is constant round, then the resulting protocol 7]-(f°^<=^'f°^<=^) will also be constant round. If 
we start from a protocol only producing constant-sized outcomes, then ypCf will use 

0{i) times the number of rounds used by the underlying scheme. 

We note here that we do not know of any candidate protocol with flavor (force, uncont) 
but not (force, random). However, we consider it as a contribution in itself to find the weak- 
est security notion for coin-flipping that allows to amplify to the final strong (force, force) 
notion using a constant round reduction. 

9.3.1 Prom Short Outcomes to Long Outcomes 

To obtain long coin-flip outcomes, we can repeat a given protocol -n-Cf with one-bit 

outcomes £ times in sequence to get a protocol 7]-(f°^<^^'^^°<*°"') with £-hit outcomes. A candidate 
for 7^^*°^'^®'^^'^°°') with one-bit outcomes is the protocol of Chapter [sj which is — in terms of 
this context — enforceable against one side in poly-time and random on the other side, with 



empty event E according to Definition 9.2 and the randomness guarantee even withstanding 



an unbounded adversary. The protocol was argued to be sequentially composable according 



to Corollary 8.1 



Note that this protocol is previously described and proven as 7i-(^^<i°""'f . However, 
due to the symmetric coin-flip definitions here and the restriction of entities to families of 
classical polynomial-time strategies, we can easily switch sides between A and B. 

9.3.2 Prom (force, uncont) to (force, random) 

Assume that we are given a protocol 7i-(f°rce,uncont)^ that only guarantees that Bob cannot 
force the coin to hit a negligible subset (except with negligible probability) . We now amplify 
the security on Bob's side from uncontrollable to random and therewith obtain a protocol 
^(force, random)^ which Bob cauuot cuforce a non-uniformly random output string, except 
by letting the protocol fail on some occasions. The stronger protocol 



in Figure 9.3 The underlying commitment commit denotes the commitment algorithm of 



the keyed mixed string commitment scheme as described in Section 4.1 Recall that commit 
does not require actual unconditionally hiding keys, but rather it suffices to use uniformly 
random strings from {0, 1}'', which unconditionally hide the plaintext, except with negligible 
probability. The possibility of using random strings ensures that most keys of the given 
domain are in that sense unconditionally hiding keys. 



Proposition 9.1 Protocol 7i-(/°'~':^'™"<*°'") satisfies correctness, according to Definition 3.4 
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Protocol -j^ii°rce,random). 

1. A and B run T^i^o^c^^^^^o^^) to produce a public key pk G {0, 1}''. 

2. A samples a G/j {0, 1}^, commits to it with A = commit {a,r) and randomizer 
r £ji {0, lY, and sends A to B. 

3. B samples b G_r {0, 1}^ and sends b to A. 

4. A opens A towards B. 

5. The outcome is c = a ® 6. 



Figure 9.3: Amplification from (force, uncont) to (force, random). 

Correctness is obvious by inspection of the protocol. If both players are honest, they 
independently choose random strings a and b. The result of these strings combined by the 
XOR-operation gives a uniformly random coin c of length i. 

Theorem 9.1 /J 7]-(/°'''=^i™^°"*) is enforceable against Alice and uncontrollable against Bob, 
then protocol 7r(.^°'~^^'™'"^°'") is enforceable against Alice and random for Bob. 

Proof (Enforceability against Alice). In case of corrupted A', A' samples [pk, sk) ^ 
as input. It then requests a uniformly random value h from J-£_cqin- It runs 7]-(f°'^'=s>™<=°^t) 
with A', in which A' enforces the outcome pk in the first step. When A' sends commitment 
A, A' uses sk to decrypt A to learn the unique string a that A can be opened to. A' 
computes b = h® a and sends 6 to A'. If A' opens commitment A correctly, then the result 
IS c = a®b = a® {h® a) = h as desired. In case she does not open correctly. A' aborts with 
result _L. Otherwise, A' outputs whatever A' outputs. 

Since h is uniformly random and independent of A and a, it follows that b = h ® a is 
uniformly random and independent of A, exactly as in the protocol. Therefore, the transcript 
of the simulation has the same distribution as the real protocol, except that pk is uniform 
in X and not in {0, 1}''. This is, however, quantum-computationally indistinguishable, as 
otherwise, A' could distinguish random access to samples from X from random access to 
samples from {0, 1}". The formal proof proceeds through a series of hybrids as described in 



full detail in the proof for Theorem 9.2 in the next Section 9.3.3 

The above two facts, that first we hit h when we do not abort, and second that the tran- 
script of the simulation is quantum-computationally indistinguishable from the real protocol, 
show that the resulting protocol is enforceable against Alice and simulatable on Alice's side 



for functionality -F^-coinj according to Definition 9.3 combined with Theorem 19.3 



Proof (Randomness against Bob). For any B', pk is uncontrollable, i.e. pk G {0, 1}'' \ 
X, except with negligible probability, as X is negligible in {0, 1}''. This, in particular, means 
that the commitment A is perfectly hiding the value a. Therefore, a is uniformly random and 
independent of b, and thus, h = a ® b is uniformly random. This proves that the resulting 



coin-flip is random against Bob, according to Definition 9.2 
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Protocol vr(*°^"'*°^"): 

1. A and B run 7r(force,random) pj-oduce a random public key pk £ {0, 1}'^. 

2. A computes and sends commitments COMMIT (a, = {Ai, . . . ,A^) to B. In 
more detail, A samples uniformly random a,s € ¥"'. She then computes sss(a; s) = 
(ai, . . . , as) and Ai = commit pk {ai,ri) for alH = 1, . . . , S. 

3. B samples uniformly random b G {0, 1}^ and sends b to A. 

4. A sends secret shares {ai, . . . , as) to B. If {ai, . . . , as) is not consistent with a 
polynomial of degree at most {2a — 1), B aborts. 

5. A and B run Tj-{r^^<"^,iorce) produce a challenge 5 C {1, . . . , S} of length \ S\= a. 

6. A sends r\s to B. 

7. B checks if Ai = commit (ai,ri) for all i £ S. If that is the case, B computes 
message a £ consistent with (ai, . . . , a^) and the outcome of the protocol is 
c = a 6. Otherwise, B aborts and the outcome is c = _L . 



Figure 9.4: Amplification from (force, random) to (force, force). 



9.3.3 Prom (force, random) to (force, force) 

We now show how to obtain a coin-flipping protocol, which is enforceable against both 



parties. Then, we can also claim by Corollary 9.1 that this protocol is a strong coin- flipping 



protocol, poly-time simulatable on both side s for the natural ideal functionality J-e-com- The 



protocol is described in Figure 9.4 



Note that the final protocol makes two calls to a subprotocol with random flavor on 
one side and enforceability on the other side, but where the sides are interchanged for each 
instance, i.e. 7r(f°^<=^'^^<iom) ^(random,force)_ rpj^^^ mcaus that we switch the players' roles 

as well as the direction of the messages. Furthermore, note that we use here the possibility 
of trapdoor openings in our extended commitment construction COMMIT, based on secret 



sharing and mixed commitments, as described in detail in Section 7.3 



Proposition 9.2 Protocol -ji{I°'^<^^J°'^'^^) satisfies correctness, according to Definition 3.4 



Again, correctness can be trivially checked, first by observing that honest players inde- 
pendently input uniformly random strings a and b, and second by verifying that these strings 
combined by XOR result in a uniformly random coin c of length i. 

Theorem 9.2 // y^^-^"'^'^^'™'"*"'") is enforceable against Alice and random against Bob, then 
protocol -j^U°'r<^^J°'r<^^) ig enforceable against both Alice and Bob. 

Proof {Enforceability against Alice). If A' is corrupted, A' samples {pk,sk) ^ Qs as 
input and enforces 7i-(*°^<^®'^^'i'i°™) in the first step to hit the outcome pk. It then requests 
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value h from J-"^_coin- When A' sends commitments (^i, . . . ,^e)) A' uses sk to extract a' 
with (a'^, . . . , u'y) = {yLtr sk{Ai) , . . . , xtrsk{A^)) ■ A' then sets b = h® a' , and sends h to A'. 
Then A' finishes the protocol honestly. In the following, we will prove that the transcript is 
quantum-computationally indistinguishable from the real protocol and that if c 7^ _L, then 
c = h, except with negligible probability. 

First, we show indistinguishability. The proof proceeds via a hybrid argument Let 
denote the distribution of the output of the simulation as described. We now change the 
simulation such that, instead of sending b = h (B a' , we simply choose a uniformly random 
b G {0, lY and then output the corresponding h = a' ®b. Let denote the distribution of 
the output of the simulation after this change. Since h is uniformly random and independent 
of a' in the first case, it follows that then b = h® a! \s uniformly random. Therefore, the 
change to choose a uniformly random b in the second case actually does not change the 
distribution at all, and it follows that T)^ = V^. 

By sending a uniformly random 6, we are in a situation where we do not need the 
decryption key sk to produce V^, as we no longer need to know a'. So we can now make 
the further change that, instead of forcing -/[-(fo^ce, random) produce a random public key 
pk £ X, we force it to hit a random public key pk £ {0, 1}'^. This produces a distribution 
2?^ of the output of the simulation. Since and only differ in the key we enforce 
^(force, random) j^-^ ^^^q simulation is quautum poly-time, there exists a poly-sized circuit 
Q, such that Q{U{X)) = and Q{U{{0,lV)) = where U{X) and U{{0,lV) denote 
the uniform distribution on X and the uniform distribution on {0, l}*^, respectively. As 
V({X) and ^^({0,1}'*) are quantum-computationally indistinguishable, and Q is poly-sized, 
it follows that Q{U{X)) and Q{ly({{0,l}'^)) are quantum-computationally indistinguishable, 
and therewith, f» P^. 

A last change to the simulation is applied by running 7]-(f°rce,random) j^onestly instead 
of enforcing a uniformly random pk G |0, I j'^. Let V"^ denote the distribution obtained 



after this change. As given in Definition 9.3 real runs of ■j^i^°^'=^>^^^°'^) and runs enforcing 



a uniformly random value are quantum-computationally indistinguishable. Using a similar 
argument as above, where Q is the part of the protocol following the run of 7i-(f°r<=s, random)^ 
we get that ~ V^. Finally by transitivity, it follows that ~ V^. The observation 
that D*^ is the distribution of the simulation and is the actual distribution of the real 
protocol concludes the first part of the proof. 

We now argue the second part, i.e., if c / _L, then c = h, except with negligible prob- 
ability. This follows by arguing soundness of the commitment scheme COMMIT, according 



to Lemma 7.1 Recall that, ii pk E X, then the probability that A' can open any j4 to a 



plaintext different from xtTgi.{A) is at most (1)°^ when S is picked uniformly at random 
and independent of A. The requirement on S is however guaranteed (except with negligible 
probability) by the random flavor of the underlying protocol 7i-(^^'i°"''f o"^"^®) producing S. This 



concludes the proof of enforceability against Alice, as given in Definition 9.3 



''Briefly, a hybrid argument is a proof technique to show that two (extreme) distributions are compu- 
tationaUy indistinguishable via proceeding through several (adjacent) hybrid distributions. If all adjacent 
distributions are pairwise computationally indistinguishability, it follows by transitivity that the two end 
points are so as well. We want to point out that we are not subject to any restrictions in how to obtain the 
hybrid distributions as long as we maintain indistinguishability. 
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Simulation B' for 7r(*°^<=^'^°^<=^): 

1. B' requests h from J-"^_coin and runs 7]-(f°'^<=«.r^<iom) j^onestly with B' to produce a 
uniformly random public key pk £ {0, 1}''. 


2. 


B' computes COMMIT (a', (s, r)) = {Ai, As) for uniformly random a', s G F°" 
and sends (^i, . . . , Ay-) to B'. 


3. 


B' receives h from B'. 


4. 


B' computes a = h ® h. It then picks a uniformly random subset S C {1, . . . , S} 
with \S\ = (T, and lets a'\s be the cr messages committed to by A\s. Then, it 
interpolates the unique polynomial / of degree at most (2(t — 1) for which f{i) = a[ 
for i G 5 and for which /(— i + 1) = for i G {1, . . . , S} \ S. Finally, it sends 
(/(l),...,/(S))to B'. 


5. 


During the run of 7r(^^'^°™'*°^'^^), B' enforces the challenge S. 


6. 


B' sends r 5 to B'. 


7. 


B' outputs whatever B' outputs. 



Figure 9.5: Simulation for Bob's force in T^(i°^^^,i°^^^) , 



Proof {Enforceability against Bob). To pro ve enforceability against corrupted B' 



we construct a simulator B' as shown in Figure 9.5 It is straightforward to verify that the 
simulation always ensures that c = /i, if B' does not abort. However, we must explicitly argue 
that the simulation is quantum-computationally indistinguishable from the real protocol. 

Indistinguishability follows by first arguing that the probability for pk ^ {^,1}'^ \ X 
is negligible. This follows from X being negligible in {0, 1}'' and pk produced with flavor 
random against B' by 7]-(f°^<=®'^^°<i°™) being uniformly random in {0, 1}'', except with negligible 
probability. 

Second, we have to show that if pk G {0, l}** \ X, then the simulation is quantum- 
computationally close to the real protocol. This can be shown via the following hybrid 
argument. Let P'' be the distribution of the output of the simulation and let be the 
distribution of the output of the simulation where we send all for all i = {1, . . . , S} at 
the end of Step (j4j). Since commitments by commit (•, •) are unconditionally hiding in 
case of pk G {0, 1}" \ X, commitments by COMMITpfc (•, •) are unconditionally hiding as well. 
Furthermore, both a' and a are uniformly random, so we obtain statistical closeness between 
(a',COMMITpfc (a', (s,r)) ) and (a, COMMIT (a', (s,r)) ). Note further that distributions P° 
and can be produced by a poly-sized circuit applied to either (a',COMMITpfc (a', (s,r)) ) 

or (a, COMMIT pfc (a', (s,r)) , it holds that P° « P^. 

Now, let be the distribution obtained by not simulating the opening via the trapdoor, 
but instead doing it honestly to the value committed to, i.e. (a', r). We still use the challenge 
S from the forced run of 7i-(^^°'i°"''f°^'=®) though. However, for uniformly random challenges. 
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real runs are quantum-computationally indistinguishable from simulated runs, and we get 

Next, let D^he the distribution of the output of the simulation where we run 7]-(^^'^°™'^°^'^®) 
honestly instead of enforcing outcome S. We then use the honestly produced S' in the proof 
in Step ([6|) instead of the enforced S. We can do this, as we modified the process leading 
to p2 towards an honest opening without any trapdoor, so we no longer need to enforce a 
particular challenge. Under the assumption that [g enforceable against B', and 

observing that real runs are quantum-computationally indistinguishable from runs enforcing 
uniformly random outcomes, we obtain . 

Finally, we get by transitivity that ^ and conclude the proof by observing that 
after our changes, the process producing is the real protocol. This concludes the proof 
of enforceability against Bob, according to Definition 9.3 with switched sides. ■ 



Applications 



Coin-flipping as a stand-alone tool allows us to use it rather freely in several contexts. Shared 
randomness is a crucial ingredient in many cryptographic implementations. Applications in 
the common-reference-string-model, that assumes a random public string before communi- 
cation, achieve great efficiency and composability, and many protocols have been proposed 
in the model. In this chapter, we will discuss example applications that rely on shared ran- 
domness. Two applications relate to the context of zero-knowledge. First, we show a simple 
transformation from non- interactive zero- knowledge to interactive quantum zero- knowledge. 
This result appeared in DL09 . Then, we propose a quantum-secure zero-knowledge proof of 



knowledge, which is interesting also in that the construction relies not only on initial random- 
ness but also on enforceable randomness as discussed in Chapter [9j This construction is part 
of the results in ILNIO . Last, we discuss the interactive generation of a common reference 



string for the proposed lattice-based instantiation of the compiler construction, proposed in 
Chapter [5] and applied in Chapter [6j This result appeared in DFL"'"09 and DL09 . 



10.1 Interactive Quantum Zero-Knowledge 



Zero-knowledge proofs, as described in Section 2.4.5, are an important building block for 
larger cryptographic protocols, capturing the definition of convincing the verifier of the va- 
lidity of a statement with no information beyond that. 



10.1.1 Motivation and Related Work 

As in the classical case, where ZK protocols exist if one-way functions exist, quantum 
zero-knowledge (QZK) is possible under the assumption that quantum one-way functions 
exist. In [Kob03] , Kobayashi showed that a common reference string or shared entangle- 
ment is necessary for non-interactive quantum zero-knowledge. Interactive quantum zero- 
knowledge protocols in restricted settings were proposed by Watrous in the honest-verifier 
setting Wat02 and by Damgard et al. in the CRS-model DFS04 , where the latter intro- 



duced the first S-protocols for QZK withstanding even active quantum attacks. In WatOD 



Watrous then proved that several interactive protocols are zero-knowledge against general 
quantum attacks. 

It has also been shown that any honest-verifier zero-knowledge protocol can be made 
zero-knowledge against any classical and quantum verifier [HKSZ08 . In more detail, they 
showed how to transform a S-protocol with stage-by-stage honest-verifier zero-knowledge 
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into a new E-protocol that is zero-knowledge against all verifiers. Special bit commitment 
schemes are proposed to limit the number of rounds, and each round is viewed as a stage 



in which an honest-verifier simulator is assumed. Then, by using a technique of DGW94 
each stage can be converted to obtain zero-knowledge against any classical verifier. Finally, 
Watrous' quantum rewinding lemma is applied in each stage to prove zero-knowledge also 
against any quantum verifier. We now show a simple transformation from non-interactive 
(quantum) zero- knowledge to interactive quantum zero-knowledge by combining the coin-flip 
protocol with any non-interactive ZK protocol. Note that a non-interactive zero-knowledge 
proof system can be trivially turned into an interactive honest- verifier zero-knowledge proof 
system by just letting the verifier choose the reference string, and therefore, this consequence 
of our result also follows from [HKSZOSj . However, our proof is much simpler and the coin- 
flipping is not restricted to a specific zero-knowledge construction. In addition, we obtain the 
corollary that if there exist mixed commitments, then we can achieve interactive quantum 
zero-knowledge against any poly-sized quantum adversary without any set-up assumptions. 

10.1.2 Formal Definition of Zero-Knowledge Proofs 



In Section 2.4.5, we gave an intuitive introduction to zero-knowledge proof systems. Here, 
we make this description formal. Recall that a zero-knowledge proof for set L on common 
input X yields no other knowledge than the validity of membership x G £. An interactive 



proof system must fulfill completeness and soundness, as given in Definitions 10.1 and 10.2 



and is quantum zero- knowledge (IQZK), if in addition Definition 10.3 holds. Note that in 
the following, we let A be the prover and let B denote the verifier. 

Definition 10.1 (Completeness) If x G L, the probability that (A, B) rejects x is negligible 
in the length of x. 

Definition 10.2 (Soundness) If x ^ C, then for any unbounded prover k' , the probability 
that (A', B) accepts x is negligible in the length of x. 

Definition 10.3 (Zero-Knowledge) An interactive proof system (A, B') for language C 
is quantum zero-knowledge, if for any quantum verifier B', there exists a simulator S with 
output quantum- computationally indistinguishable from the real output, i.e., 

out^ out^f^^f^ , 

on common input x G £ and arbitrary additional (quantum) input to B'. 



According to BFM88 , the interaction between prover and verifier can be replaced by a 
common reference string. Then, there is only a single message sent from prover to verifier, 
who makes the final decision weather to accept or not. More precisely, both parties A and B 
get common input x. A common reference string uj of size k, allows the prover A, who knows 
a witness w, to give a non-interactive zero-knowledge proof 7r(a;,x) to a (possibly quantum) 
verifier, poly-time bounded in k. For simplicity, we consider the proof of a single theorem of 
size smaller than n (and n < k, i.e. = {x £ C \ \x\ < n}. The extension to a more general 
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notion is rather straightforward (see BFM88 for details). 



Completeness and soundness hold as defined above, but we explicitly state the definitions 
as given in |BFM88| and adapted to our context. 

Definition 10.4 (Completeness in NIZK) There exists a constant c > such that for 
all X £ Ck, the acceptance probability is overwhelming, i.e., 

Prcompiete = Pr [w ^ {0, l}"'\ir{x, uj) ^ A{uj, X, w) : B(w, x, tt{x, u)) = 1] > 1 - e 

where e is negligible in n (and k). 

Definition 10.5 (Soundness in NIZK) There exists a constant c > such that for all 
X ^ Ck and for all provers A', the acceptance probability is negligible, i.e., 

Prsound = Pr[a; ^ {0, 7r(x, tj) ^ P^{uj,x) : B{uj,x,tt{x,uj)) = 1] < e' 

where e' is negligible in n (and k). 

The non-interactive zero- knowledge requirement is simpler than for general zero- knowledge 
for the following reason. Since all information is communicated mono-directional from prover 
to verifier in the protocol, the verifier does not influence the distribution in the real world. 
Thus, in the ideal world, we require a simulator that only outputs pairs that are (quan- 
tum) computationally indistinguishable from the distribution of pairs {oj, tt{x,uj)) in the real 
world, where vr is generated with uniformly chosen u and random xj^ In other words, we 
can eliminate the quantification over all B' in the zero-knowledge definition. 

Definition 10.6 (Non-Interactive Zero-Knowledge) There exist a constant c > and 
a simulator S with output quantum- computationally indistinguishable from the real output, 
i.e., 

out^^^^ ~ outi%'r^ , 

where out^^^^ = {a; ^ {0, l}'^''', 7r(x, w) ^ A(x,a;) : (w, ■k{x,uj))}. 
10.1.3 The Transformation 

We obtain a generic transformation of non-interactive zero-knowledge into interactive quan- 
tum zero-knowledge as follows. In each invocation, protocol COIN generates a truly random 
coin even in the case of a malicious quantum B'. A string of such coins, obtained by sequen- 



tial composition as described in Section 8.3.1 by the ideal functionality in Figure 8.5 is then 



used as reference string in any (NIZK)-subprotocol with properties as defined previously. 

The final protocol IQZK is shown in Figure [l0.3[ To prove that it is an interactive quan- 
tum zero- knowledge protocol, we first construct an intermediate protocol IQZK-^""'^"^" (see 



Figure 10.1) that runs with the ideal functionality -Fk-cdin- Then we prove that IQZK 



satisfies completeness, soundness and zero-knowledge according to Definitions 10.1 - 10.3 
To complete the proof, the calls to J^k-cdin are replaced with actual invocations of g ™ 
and we arrive at IQZK. 



^Indistinguishability, in turn, implies that the proof construction withstands quantum-computationaUy 
bounded verifiers. 
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PROTOCOL ilJZK : 




(COIN) 




1. A and B invoke J-"k-coin- If A aborts by sending ± as 
protocol. Otherwise, A and B set lo = h. 


second input, B aborts the 


(NIZK) 




2. A sends 7r(x,a;) to B. B checks the proof and accepts 


or rejects accordingly. 



Figure 10.1: Intermediate Protocol for IQZK. 



Claim 10.1 Protocol IQZK'^'="'^°™ satisfies completeness, according to Definition 10.1 



Proof. From the ideal functionality -Fk-cdin it follows that oo is uniformly random. Then by 



Definition 10.4 of any (NIZK)-subprotocol, we know that, for x G jC^j B accepts, except with 
negligible probability (in the length of x. Thus, completeness for the IQZK'^""'^"™ follows. ■ 



Claim 10.2 Protocol IQZK"^"^"™™ satisfies soundness, according to Definition\10.2 



Proof. Assume that x ^ C^- Any dishonest A' might stop IQZK'^'*"™™ at any point during 
execution. For example, she can block the output in Step ([T]) or she can refuse to send a 
proof vr in (NIZK). Furthermore, A' can use an invalid w (or x) for tt. In all of these cases, B 
will abort without even checking the proof. 

Therefore, A"s best strategy is to "play the entire game", i.e. to execute IQZK'^'*"™™ 
without making obvious cheats. A' can only convince B in the (NIZK)-subprotocol of a vr for 
any given (i.e. normally generated) oj with a probability that is negligible in the length of x 
(see Definition 



10.5 ). Therefore, the probability that A' can convince B in the full IQZK 



in case oi x ^ is also negligible and its soundness follows. ■ 

Claim 10.3 Protocol IQZK-^''-'^^™ is an interactive zero-knowledge proof, according to Defi- 
nition [I073[ 

Proof. We construct a simulator Sjr,y„j^^_coiN ) interacting with dishonest B' and a simulator 



Snizk- As given in Definition 10.6 such a simulator generates, on input x E £, a randomly 
looking Ld together with a valid proof vr for x (without knowing witness w). Sjjj^k-^'s-cdin > 



described in Figure 10.2, receives a random string u from SnizK) which now replaces the 
coin-string h produced by Tk-coin hi protocol IQZK-^*^"™™. By assumption on Sjuzk, this 
is quantum-computationally indistinguishable for B'. Thus, the simulated proof 'it{uj,x) is 
indistinguishable from a real proof, which proves that the IQZK-^"*"™™ is zero-knowledge. ■ 

It would be natural to think that IQZK could be proven secure simply by showing that 
IQZK'^"-'^"™ implements some appropriate functionality and then use a composition theorem 
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Simulation S^^^^t^_coj^ : 

1. Sjp2K-^n-cDiN gets input x and invokes Smizk with x to receives 7r(a;,x). 

2. Let uj = h. SjQ2K-^„_coi„ sends h to B'. 

3. Sjg2K-^t-cDiN sends 7r(a;, x) to B' and outputs whatever B' outputs. 



Figure 10.2: The Simulation of the Intermediate Protocol for IQZK. 
PROTOCOL IQZK: 

(COIN) A and B run H^^g^"™ and set uj = h. 

(NIZK) a sends 'k{uj,x) to B. B checks the proof and accepts or rejects accordingly. 
Figure 10.3: Interactive Quantum Zero-Knowledge. 



from Section 3.6 Recall, however, that a zero-knowledge protocol — which is not necessarily 
a proof of knowledge — cannot be modeled by a functionality in a natural way. Instead, we 
prove the standard properties of a zero-knowledge proof system explicitly and therewith the 
following Theorem 1 10.1 1 

Theorem 10.1 (Interactive Quantum Zero-Knowledge) Protocol IQZK is an interac- 
tive proof system, satisfying completeness and soundness. Since, for any quantum verifier 
B', there exists a simulator Si^zy. with output quantum- computationally indistinguishable from 
the real output, we additionally achieve quantum zero-knowledge. 

Proof. From the analysis of protocol COIN, its sequential composability, and the indistin- 
guishability from the ideal functionality -Fk-cqin, it follows that if both players are honest 
a; is a random common reference string of size k and the acceptance probability of the 
(NIZK)-subprotocol as given previously holds. Completeness of IQZK follows. 

To show soundness, we again only consider the case where A' executes the entire protocol 
without making obvious cheats, since otherwise, B immediately aborts. Assume that A' could 
cheat in IQZK, i.e., B would accept an invalid proof with non-n egli gible probability. Then we 



could combine A' with simulator A' of protocol COIN (Figure 8.3) to show that IQZK 



K-CDIN 



was not sound. This, however, is inconsistent with the previously given soundness argument 



in the proof of Claim 10.2 and thus proves by contradiction that IQZK is sound. 



To further prove that the interactive proof system is also q uantum zero-knowledge, we 



compose a simulator Siqzk of simulator S^q^k^^-coin (Figure 10.2) and simulator B' of protocol 



COIN (Figure 8.4). In more detail, Siqzk gets classical input x as well as quantum input W 
and X. It then receives a valid proof vr and a random string a; from Snizk- ^ is split into 
coini . . . coiuk. For each coiui, it will then invoke B' to simulate one coin- flip execution with 
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coin = coiui as result. In other words, whenever B' asks J^coin to output a bit (Step ([ij), 



Figure 8.4), it instead receives this coiui. We see that the transcript of the simulation is 
indistinguishable from the transcript of the protocol IQZK for any quantum-computationally 
bounded B'. This concludes the proof. ■ 



We conclude this section by the corollary, immediately following from the previous proof 



and stating that quantum-secure commitments, as defined in Section 7.1, imply interactive 
quantum zero-knowledge. 

Corollary 10.1 // there exist quantum-secure commitment schemes, then we can obtain 
interactive quantum zero-knowledge against any quantum adversary P' E ^^poiy without any 
set-up assumptions. 

10.2 Zero-Knowledge Proof of Knowledge 

A zero-knowledge proof of knowledge is a special case of zero-knowledge proof systems, 
introduced in Section |2.4.5 Here, we propose a quantum-secure construction based on 



witness encoding, which we define in the context of simulation. 
10.2.1 Motivation and Related Work 

Recall that the purpose of a zero-knowledge proof of knowledge is to verify in classical 
poly-time in the length of the instance, whether t;; is a valid witness for instance x in 
relation TZ, i.e. {x,w) £ TZ. We call TZ an AAP-relation, as the language C{Tl) = {x £ 
{0,1}* I 3w s.t. {x,w) G 7^} is seen to be an AAT^-language. Interestingly, such a zero- 
knowledge proof of knowledge, in contrast to zero-knowledge proofs, can be modeled by an 
ideal functionality. 

Our protocol is based on a witness encoding scheme, providing a certain degree of ex- 



tractability and simulat ability, defined in Section 10.2.2[ We want to stress that the ex- 
tractability requirement resembles special soundness in proof systems, which are secure in 
the classical world and typically come along with a knowledge error negligible in the length 
of the challenge. We have to reformulate this aspect in stronger terms in the quantum world, 
since special soundness seems to be impossible to use in the quantum realm, due to the 
restrictions within rewinding. However, we obtain a similar result also with knowledge error 
negligible in the length of the challenge. 

Furthermore, our construction requires a mixed bit commitme nt ( see Section |4.1[ ) and 
two calls to the coin- flip protocol 7r(f°'^=e.f°'^<=e), described in Figure |9.4[ Chapter [oj which is 



poly-time simulatable for both sides even against quantum adversaries. Since this protocol 
only assumes mixed commitments as well, we get the corollary that if there exists a mixed 
commitment scheme, then we can construct a classical zero-knowledge proof of knowledge 
against any poly-sized quantum adversary. This is of particular interest, as the problems of 
rewinding in the quantum realm complicate implementing proofs of knowledge from scratch. 



As already mentioned in Chapter pi the unpublished approach of Smi09 suggest another 



solution for this concept. Instead of composing the coin-string from single coins, they use a 
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string commitment with special opening and compose the subsequent zero-knowledge proof. 
The coin-string is used as key to encode the witness and the second zero-knowledge proof is 
given to prove it. 

10.2.2 Simulatable Witness Encodings of MV 

We first specify a simulatable encoding scheme for binary relation TZ C {0, 1}* x {0, 1}*, which 
consists of five classical poly-time algorithms {E, D, S, J, E). Then, we define completeness, 
extractability and simulat ability for such a scheme in terms of the requirements of our zero- 
knowledge proof of knowledge. 

Let E : TZ X {0,1}™ — {0,1}" denote an encoder, such that for each {x,w) G TZ, the 
n-bit output e ^ E(x,w,r') is a random encoding of w, with randomness r' E {0, 1}*" and 
polynomials m(|x|) and n(|j;|). The corresponding decoder D : {0,1}* x {0,1}" — )• {0,1}* 
takes as input an instance x G {0, 1}* and an encoding e G {0, 1}"" and outputs w ^ D{x, e) 
with w £ {0,1}*. 

Next, let S denote a selector with input s G {0,1}^^ (with polynomial cr(|x|)) specifying 
a challenge, and output S{s) defining a poly-sized subset of {l,...,n} corresponding to 
challenge s. We will use S{s) to select which bits of an encoding e to reveal to the verifier. 
For simplicity, we use to denote the collection of bits e\s(s)- 

We denote with J the judgment that checks a potential encoding e by inspecting only 
bits eg. In more detail, J takes as input instance x G {0, 1}*, challenge s G {0, l}'^ and the 
\S{s)\ bits Cs, and outputs a judgment j ^ J{x, s, eg) with j G {abort, success}. 

Finally, the simulator is called E. It takes as input instance x G {0, 1}* and challenge 
s G {0, 1}°" and outputs a random collection of bits ^ E{x, s). Again for simplicity, we 
let t|5(s) = tg- Then, if this set has the same distribution as bits of an encoding e in positions 
S{s), the bits needed for the judgment to check an encoding e can be simulated given just 



instance x (see Definition 10.9). 



Definition 10.7 (Completeness) // an encoding e ^ E{x,w,r) is generated correctly, 
then success ^ J{x, s, Cg) for all s Gr {0, l}'^. 

We will call an encoding e admissible for x, if there exist two distinct challenges s, s' G 
{0, 1}°^ for which success ^ J{x, s, Cg) and success ^ J(x, s' , eg/). 

Definition 10.8 (Extractability) If an encoding e is admissible for x, then (x, D{x, e)) G 
TZ. 

We want to stress that extractability is similarly defined to the special soundness property 
of a classical S-protocol, which allows to extract w from two accepting conversations with 
different challenges. Such a requirement would generally be inapplicable in the quantum 
setting, as the usual rewinding technique is problematic and in particular in the context here, 
we cannot measure two accepting conversations during rewinding in the quantum world. 
Therefore, we define the stronger requirement that if there exist two distinct answerable 
challenges for one encoding e, then w can be extracted given only e. This condition works 
nicely in the quantum world, since we can obtain e without rewinding, as we will show in 
our quantum-secure proof construction. 
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Functionality -?"zKPK(7^): 

1. On input {x,w) from Alice, -7^zKPK(7^) sets j = success if {x,w) G TZ. Otherwise, it 
sets j = abort. 

2. -FzKPK(7e) outputs {x,j) to Alice and Bob. 



Figure 10.4: The Ideal Functionality for a Zero-Knowledge Proof of Knowledge. 

Definition 10.9 (Simulatability) For all (x, w) & TZ and all s G/j {0, 1}'^, the distribution 
of e E(x,w,r') restricted to positions S{s) is identical to the distribution oftg ^ E{x,s), 
i.e., 

V{es)=V{ts). 

There are several commit&open proofs for NV. One can, for instance, start from the 
commit&open protocol for circuit satisfiability, where the bits of the randomized circuit 
committed to by the sender is easy to see as a simulatable encoding of a witness being 
a consistent evaluation of the circuit to output 1. The challenge in the protocol is one 
bit e and the prover replies by showing either the bits corresponding to some positions 



S"(0) or positions 5"(1). The details can be found in [BCC88 . This gives us a simulatable 



witness encoding for any AAP-relation IZ with o" = 1, using a reduction from J\fV to circuit 
simulatability. By repeating it a times in parallel we get a simulatable witness encoding for 
any a. For i = 1, . . . , o", compute an encoding e* of w and let e = (e^, . . . , e^). Then for 
s G {0, 1}°^, let S{s) specify that the bits S'{si) should be shown in and check these bits. 
Note, in particular, that if two distinct s and s' passes this judgment, then there exists i such 
that Si s[, so e* passes the judgment for both Sj = and Sj = 1, which by the properties 
of the protocol for circuit satisfiability allows to compute a witness w for x from e* . One can 
find w from e simply by trying to decode each e^ for j = 1, . . . ,a and check if (x, Wj) G TZ. 

10.2.3 The Protocol 

We now construct a quantum-secure zero-knowledge proof of knowledge from prover A to veri- 
fier B. Recall that we are interested in the AAP-language C{TZ) = {x G {0, 1}* | 3 w s.t. (x, w) G 
TZ}, where A has input x and w, and both A and B receive positive or negative judgment of 
the validity of the proof as output. We assume in the following that on input (x, w) ^ TZ, 



honest A aborts. The final protocol ZKPK(7^) is describe in Figure 10.5 



As already mentioned, unlike zero-knowledge proofs, proofs of knowledge can be modeled 



by an ideal functionality, given as J^zKPK{7e) in Figure 10.4 J^zKPK(7e) can be thought of as a 
channel which only allows to send messages in the language C{1Z). It models zero-knowledge, 
as it only leaks instance x and judgment j but not witness w. Furthermore, it models a 
proof of knowledge, since Alice has to know and input a valid witness w to obtain output 
j = success. 

Protocol ZKPK(7^) is based on our fully simulatable coin- flip protocol 7r(f°^=e.f°^=«), which 
we analyze here in the hybrid model by invoking the ideal functionality of sequential coin- 
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Protocol ZKPK(7e.) : 

1. A and B invoke /k-coin to get a commitment key pk £ {0, 1}''. 

2. A samples e ^ E{x,w,r') with randomness r' G {0,1}™ and commits position- 
wise to all Ci for i = l,...,n, by computing random commitments Ei = 
COMMIT 

pk (fij) fi) with randomness r G {0, 1}". She sends x and all Ei to B. 

3. A and B invoke Jv-coin to flip a challenge s Gr {0, 1}°". 

4. A opens her commitments to all eg. 

5. If any opening is incorrect, B outputs abort. Otherwise, he outputs j ^ J(x, s, e^) 
with j G {success, abort}. 



Figure 10.5: Zero-Knowledge Proof of Knowledge. 



flipping twice (but with different output lengths). Note that in the hybrid model, a simulator 
can enforce a particular outcome to hit also when invoking the ideal coin-flipping functional- 



ity. We can then use Definition 9.3 to replace the ideal functionality by the actual protocol 

(force, force) 



vr 



One call to the ideal functionality -Fk-coin with output length k is required to instantiate a 
mixed bit commitment scheme COMMIT as discussed in Section [721 Recall that it is therewith 
possible to sample an unconditionally binding key pk G {0, 1}'' along with an extraction key 
sk. Since such keys are quantum-computationally indistinguishable from random values in 
{0, 1}**, the latter serves us as unconditionally hiding instantiations of COMMIT. The second 
call to the functionality J>-coin produces cj-bit challenges for a simulatable witness encoding 
scheme with (E, D, S, J, E) as specified in the previous Section 10.2.2 



Theorem 10.2 (Zero-Knowledge Proof of Knowledge) For any simulatable witness en- 
coding scheme {E,D,S,J,E), satisfying completeness, extractahility, and simulatability ac- 
cording to Definitions 10.1 - 10.9, and for negligible knowledge error 2"^ , protocol ZKPK(7^) 



is a zero-knowledge proof of knowledge and securely implements ^ZKPK(7^) • 

Completeness is obvious. A honest party A, following the protocol with (x, w) £ TZ and 
any valid encoding e, will be able to open all commitments in the positions specified by any 
challenge s. Honest Bob then outputs J{x,s,es) = success. 



Proof {Security against dishonest Alice). To prove security in case of corrupted A', 
we construct a simulator A' that simulates a run of the actual protocol with A' and -7^zkpk(7?.) • 
The proof is then twofold. First, we show indistinguishability between the distributions 
of simulation and protocol. And second, we verify that the extractahility property of the 
underlying witness encoding scheme (see Definition 10.8 ) implies a negligible knowledge error. 
Note that if A' sends abort at any point during the protocol. A' sends some input (x', w') ^ TZ 
to -7^zKPK(7^) to obtain output {x,j) with j = abort, and the simulation halts. Otherwise, the 



simulation proceeds as shown in Figure 10.6 
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Simulation A' for ZKPK(7^) : 

1. A' samples a random key pk along with the extraction key sk. Then it enforces pk 
as output from J^k-coin 

2. When A' receives x and {Ei,...,En) from A', it extracts e = 
(xtTskiEi), . . . ,xtrsk{En)). 

3. A' completes the simulation by following the protocol honestly. If any opening of 
A' is incorrect, A' aborts. Otherwise, A' inputs [x, D{x, e)) to -FzKPK(7e) and receives 
{x,j) back. A' outputs the final state of A' as output in the simulation. 



Figure 10.6: Simulation against dishonest Alice. 

Note that the only difference between the real protocol and the simulation is that A' uses 
a random public key pk sampled along with an extraction key sk, instead of a uniformly 
random pk G {0, 1}'^. It then enforces Tk-coih to hit pk. However, by assumption on the 
commitment keys and by the properties of the ideal coin-flipping functionality, the transcripts 
of simulation and protocol remain quantum-computationally indistinguishable under these 
changes. 

Next, we analyze the output in more detail. It is clear that whenever honest B would 
output abort in the actual protocol, also A' aborts, namely, if A' does deviate in the last steps 
of protocol and simulation, respectively. Furthermore, A' accepts if and only if (x, D{x, e)) G 
TZ or in other words, the judgment of the functionality is positive, denoted by jjr = success. 

It is therefore only left to prove that the case of jjr = abort but jj = success is 
negligible, where the later denotes the judgment of algorithm J{x,s,es) as in the protocol. 
In that case, we have {x, D{x,e)) ^ TZ. This means that w is not extractable from D{x,e), 
which in turn implies that (xtrsfc(£'i), . . . , xtZskiEn)) = e is not admissible. Thus, there are 
no two distinct challenges s and s', in which A' could correctly open her commitment to e. It 
follows by contradiction that there exists at most one challenge s which A' can answer. We 
produce s G {0, 1}'^ uniformly at random, from which we obtain an acceptance probability 
of at most 2^'^. Thus, we conclude the proof with negligible knowledge error, as desired. 
■ 

Proof (Security against dishonest Bob) . T o prove security in case of corrupted B', 



we construct simulator B' as shown in Figure 10.7, Our aim is to verify that this simulation 



is quantum-computationally indistinguishable from the real protocol. The key aspect will 
be the simulat ability guarantee of the underlying witness encoding scheme, according to 
Definition [TOJl 

The proof proceeds via a hybrid argument. Let he the distribution of the simulation 



as described in Figure 10.7 Let he the distribution obtained from the simulation but 
with the following change: We inspect J^zkpkCR.) to get a valid witness w for instance x, and 
let e <— E{x, w, r') be the corresponding encoding. Note that this is possible as a thought 
experiment for any adjacent distribution in a hybrid argument. From e we then use bits e<j 
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Simulation B' for ZKPK(7^) : 


1. 


B' invokes -Fk-cqin to receive a uniformly random pk. 


2. 


B' samples a uniformly random challenge s G {0, l}"^ and computes tg ^ E{x,s). 
B' then computes commitments Ei as follows: For all i G S{s), it commits to the 
previously sampled ts via Ei = COMMITpfc {ti,rij . For all other positions i £ S 
(where S = {1, . . . , n} \ S{s)), it commits to randomly chosen values t[ {0, 1}, 
i.e. Ei = COMMIT pfc {t'i,ri) . It sends x and all Ei to B'. 


3. 


B' forces Ta-com to hit s. 


4. 


B' opens Ei to tj for all i £ S{s), i.e. to all tg. 


5. 


B' outputs whatever B' outputs. 



Figure 10.7: Simulation against dishonest Bob. 



for the same S{s) as previously, instead of bits ts sampled by E{x,s). All other steps are 
simulated as before. By the simulat ability of the encoding scheme (Definition 10.9), it holds 
that the bits ts in 2?" and the bits in have the same distribution. Thus, we obtain 
P° = 

We further change the simulation in that we compute the bits in all positions i G S by 
of the encoding e defined in the previous step. Again, all other steps of the simulation remain 
unchanged. Let denote the new distribution. The only difference now is that for i £ S, 
the commitments Ei are to the bits Cj of a valid e and not to uniformly random bits t[. This, 
however, is quantum-computationally indistinguishable to B' for pk {0, 1}", as COMMIT is 
quantum-computationally hiding towards B'. Note that pk is guaranteed to be random by 
an honest call to -Fk-coin and recall that we do not have to open the commitments in these 
positions. Hence, we get that 2? ~ D . 



Note that after the two changes, leading to distributions and P^, the commitment 
step and its opening now proceed as in the actual protocol, namely, we commit to the bits 
of e <— E{x,e,r') and open the subset corresponding to S{s). The remaining difference 
to the real protocol is the enforcement of challenge s, whereas s is chosen randomly in 
the protocol. Now, let be the distribution of the modified simulation, in which we 
implement this additional change of invoking J>-coin honestly and then open honestly to 
the resulting s. Note that both processes, i.e., first choosing a random s and then enforcing 
it from -7v-coiN) or invoking Jv_coin honestly and receiving a random s, result in a uniformly 
random distribution on the output of J^a-caw- Thus, we obtain = P^. 

By transitivity, we conclude that T> ~ T> , and therewith, that the simulation is 
quantum-computationally indistinguishable from the actual protocol. ■ 



We conclude this section by the corollary that follows straightforward from the above 
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construction and proof and states that mixed commitments, as defined in Section [7. 3[ imply 
classical zero-knowledge proofs of knowledge against any poly-sized quantum adversary. 

Corollary 10.2 // there exist mixed commitment schem,es, then we can construct a classical 
zero-knowledge proof of knowledge against any quantum adversary P' G ^poiy without any 
set-up assumptions. 



10.3 Generation of Commitment Keys 

Here, we briefly describe the initial generation of a common reference string for the proposed 
lattice-based instantiation of the generic compiler, introduced in Chapter [5| according to the 



specific requirements of its underlying mixed commitment scheme, discussed in Section 4.1 



10.3.1 Motivation 

The compiler is constructed in the CRS-model to achieve high efficiency. We now aim at 
circumventing the CRS-assumption to achieve the potential of allowing the implementation of 
complete protocols in the quantum world without any set-up assumptions. More specifically, 
we integrate the generation of a common reference string from scratch based on our quantum- 
secure coin-flipping, which will then be used during compilation as commitment key. We want 
to stress, however, that implementing the entire process comes at the cost of a non-constant 
round construction, added to otherwise very efficient protocols under the CRS-assumption. 



10.3.2 The Generation 



Recall that the argument for computational security in Section 5.2 proceeds along the follow- 
ing lines. After the preparation phase B commits to all his measurement bases and outcomes. 
The keyed dual-mode commitment scheme has the special properties that the key can be 
generated by one of two possible key-generation algorithms Gn or G^. Depending on the 
key in use, the scheme provides both flavors of security. Namely, with key pkH generated 
by Gn, respectively pkB produced by Gb, the commitment scheme is unconditionally hid- 
ing respectively unconditionally binding. Furthermore, the commitment is secure against a 

q 

quantum adversary and it holds that pkH ~ pkB. In the real- world protocol, B uses the un- 
conditionally hiding key pkH to maintain unconditional security against any unbounded A'. 
To argue security against a computationally bounded B', an in form ation-theoretic argument 
involving the simulator B' is given (in the proof of Theorem 5.1) to prove that B' cannot 



cheat with the unconditionally binding key pkB. Security in real life then follows from the 
quantum-computational indistinguishability of pkH and pkB. 

We want to repeat that we can even weaken the assumption on the hiding key in that 
we do in fact not require an actual unconditionally hiding key, if the public-key encryption 
scheme guarantees that a random public key looks pseudo-random to poly-time quantum 



circuits. As discussed in Section 4.1, the lattice-based crypto-system of Regev [Reg05j , 
which is considered to withstand quantum attacks, is a good candidate to construct such a 
dual-mode commitment scheme. The public key of a regular key pair can be used as the 
unconditionally binding key pkB' in our commitment scheme for the ideal-world simulation. 
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and for the real protocol, an unconditionally hiding commitment key pkH' can simply be 
constructed by uniformly choosing numbers in the same domain. 

The idea is now the following. Let k denote the length of a regular key pkB'. We add 
(at least) k executions of our protocol COIN as a first step to the compiler-construction to 
generate a uniformly random sequence coini . . . coiuk ■ These k random bits produce a pkH' 
as sampled by ^h, except with negligible probability. Hence, in the real world. Bob can use 
key coini . . .coiuk = pkH' for committing with Cj = commit pj^n' {0i,Xi),ri) on all positions 
i. Since an ideal- world adversary B' is free to choose any key, it can generate (pkB',sk'), 
i.e., a regular public key together with a secret key according to Regev's crypto-system. For 
the security proof, write pkB' = coini ... coiuk- In the simulation, B'^-o^p^-Lg (as described 
in the proof of Theorem 5.1) first invokes B^^^j^ (Figure 8.4) for each coitij to simulate one 
coin-flip with coiuj as result. Whenever B'^^^^ asks Tcom to output a bit, it instead receives 
this coirii. Then B'^^^p^-^^ has the possibility to decrypt dishonest B"s commitments Cj = 

commit pkB' {{9i, Xi),ri) during simulation, which binds B' unconditionally to his committed 
measurement bases and outcomes. Finally, since we proved in the analysis of protocol COIN 
that pkH' is a uniformly random string, Regev's proof of semantic security applies, namely 
that a random public key, chosen independently from a secret key, is indistinguishable to 
a regular key and that such encodings carry essentially no information about the message. 
Thus, we obtain pkH ~ pkB and quantum-computational security in real life follows. 
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